-
Notifications
You must be signed in to change notification settings - Fork 14.5k
Achat 0.150 UDP buffer overflow exploit (CVE-2015-1578) with automated msfvenom payload #20333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
…mated msfvenom payload
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see we already have an exploit for this in exploits/windows/misc/achat_bof.rb
. What is this adding that's not already present in that exploit? If there's a new target, can we just update the existing module?
Nevermind, I should have read the PR description.
The existing module at exploit/windows/misc/achat_bof suffers from payload encoding issues that cause unreliable exploitation. This new module addresses that problem by integrating an automatic msfvenom shellcode generation step, producing a properly encoded, Unicode-compatible payload externally.
This needs to be fixed in the existing module without running msfvenom
. The Targets
hash is probably not setting all of the bad characters which is causing the encoded payload to be incompatible. If that's the case, it should be ~1 line fix to the original. Alternatively, you can force an encoder using the EncoderType
option which I see the existing module is already doing.
# | ||
# Note: Requires msfvenom to be in PATH. If missing or fails, the module will print an error. | ||
## | ||
def generate_payload_raw |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should all be handled for you by simply using payload.encoded
if the Target information is correct. We don't need to be executing msfvenom
, it's slower than using the already loaded version of framework and introduces opportunities for OS command injection.
I suggest you look through other exploit modules and see how they're defining their Targets
key in their module data to achieve this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once you've stopped running msfvenom
, this file name won't make much sense.
Instead of rewriting the entire exploit, take the original
I'd bump it up to say 1,500 from 730. I can see from my limited testing, that'll at least allow the exploit to run. If the exploit fails against a vulnerable target, I'd decrease the size by 100 until it either works or you're back to 730, or it's saying that it can't encode the payload again. Give the buffer layout in the exploit, it seems reasonable that you could just increase the size of the available space. metasploit-framework/modules/exploits/windows/misc/achat_bof.rb Lines 112 to 116 in 04a6185
I'm basing that on the observation that |
I had a minute so I went and looked into this. My suspicion was correct, if you increase the space available, the framework will know that the payload will fit and the exploit will resume functioning. I tested a bump from 730 up to 1200. That's most likely large enough for all of the current stagers, so I didn't test increasing it any further. If you want to fix this issue, can you please revert the commit adding the new module and change this line from 730 to 1200.
Tested achat 0.150 on Windows 7 SP1. |
CVE-2015-1578 Metasploit Module
Overview
This is a Metasploit module for CVE-2015-1578, a buffer overflow vulnerability in Achat 0.150 beta7 on Windows. Exploitation leads to remote code execution via a crafted UDP packet.
Purpose
The existing module at
exploit/windows/misc/achat_bof
suffers from payload encoding issues that cause unreliable exploitation. This new module addresses that problem by integrating an automatic msfvenom shellcode generation step, producing a properly encoded, Unicode-compatible payload externally. This approach circumvents the internal Metasploit encoder limitations and significantly improves exploit reliability.Additionally, this vulnerability (CVE-2015-1578) remains relevant today, as it is actively exploited in the Hack The Box machine Chatterbox, demonstrating the practical value of maintaining a functional and stable exploit module.
This module demonstrates:
msfvenom
Video Tutorial
Dependencies
msfvenom
in your$PATH
Key Features
msfvenom
to generate payload withx86/unicode_mixed
encoding and custom bad charactersOptions
RHOSTS
– Target IP address (required)LHOST
– Local host IP for reverse shell (required)LPORT
– Local port for reverse shell (default: 4444)RPORT
– Remote UDP port on target (default: 9256)Usage Example
This will:
LHOST:LPORT
Supplementary References