dupscts_bof: Add additional targets and auto targeting #14813
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smcintyre-r7
added
the
rn-modules
|
This worked great, thanks for all of the additions! I tested all of the available targets only on WIndows 7 x86 SP1: v8.3.16v8.4.16v9.0.28v9.1.14v9.9.14v10.0.18Code LGTM |
Release NotesUpdated the |
pbarry-r7
added
rn-enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
AutoCheckNotesReferencesTargets
This module originally targeted version 9.5.14. The bug exists in many prior versions (all?) and up until version 10.0.18. This PR adds six new targets for these versions, from 8.3.16 to 10.0.18.
Unfortunately it seems that the 9.5.14 installer no longer exists (#8303 (comment)) so I wasn't able to test on this version.
The original module uses an egg hunter.
I'm not sure why as there is ample space (500+ bytes).(ample space for a reverse shell payload, but not for meterpreter). Unfortunately, as the egg hunter is x86 only, this means that this module can only target x86 versions of the software on x86 operating systems. The bug is certainly exploitable on x86 versions of the software on x64 operating systems.I could have removed the egg hunter, but that would effectively be a rewrite of this module, and I wouldn't be able to verify (with certainty) that the changes had not broken the existing 9.5.14 target. I figured the best solution was to leave it as is.
References
It appears that the vendor was initially unresponsive to the vulnerability (hence still being exploitable long after version 9.5.14). There have been many bugs in this software and every man and his dog has dropped an exploit for it. Most are fairly similar and I've added a few to as references, even though this module pre-dates them.
At least one exploit on exploitdb claims to exploit a different parameter in a HTTP GET URL, but adjusting the offset for the URL path and parameter reveals it is exploitable in an identical manner to the overflow triggered simply by an overly long path, suggesting that the parameter is irrelevant (I haven't verified).
This module was originally written by Daniel Teixeira and vportal is credited with discovery and PoC. These attributions have not changed in this PR.
Edit: As best I can tell, vportal (Victor Portal) is an incorrect attribution. It probably comes from here which is a different bug.
Reverse engineering attribution is a tedious process in which I have no further interest. If you feel you should be attributed you're welcome to argue in the comments.
Note that this module is different from the overflow triggered by an overly long username (or password) in a login POST request, which also has a messy history and several exploits.