-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update KarjaSoft Sami FTP Server v2.0.2 USER Overflow module #14783
Conversation
671c11d
to
743248d
Compare
Alright overall this module is working as expected. See output below for example run. However attempting to repeat the exploit after removing the
|
This is likely due to file permissions. Once the file is deleted Sami FTP won't have permission to recreate the file unless you're running as an admin user. The easiest way to clean the environment is to empty the file rather than remove it. This issue exists with the existing implementation prior to this PR. |
Ah okay your documentation suggested that this was the way to resolve this issue when I read it, so it might be good to explain that this solution only works if the file can be recreated as an administrator user, and that otherwise clearing the contents of the file is advisable. |
The documentation states to remove the payload from the log file, not to remove the log file.
|
Tried this several times however despite the payload being removed from |
That seems unlikely, presuming you're using the correct path |
Looks like you're correct. The application hangs upon opening on Windows 10 even if the |
Ah, no, that's not what's happening. My guess is that it's not re-executing the payload, it's trying to bind to port 21 and freezing because it has insufficient privileges. Try running as administrator. |
Woops yes meant |
On a potential related note, when testing sometimes the exploit won't actually work. This appears to be a timeout issue as can be seen below:
The target stops responding but no shell is spawned. Rebooting the target after it has stopped working will start the exploit again. Testing against Windows 10 v2004 x64 with the target installed by an administrator but running as a normal user in case it helps. |
The documentation is accurate and infinitely better than the current documentation which does not exist. The payload is not re-executing after you have cleared the log file. The application is freezing due to a permission issue due to running as a low privileged user. You are experiencing an application freeze. You can not getting a connection back due to execution of the payload once the payload has been removed from the system. If you remove the payload from the If you exploit the application, then clear the log file as described, the system no longer contains the payload. If you open a listener on the metasploit host on port The application gives the appearance of re-executing the payload because it freezes when it is started. This is a permission issue. The freeze will go away if you run the application as an administrator.
The backdoor persists only until the log is cleared. This is documented in the module description and the module documentation. It is not uncommon for Metasploit modules to do this and it is acceptable so long as the backdoor is documented. For example, this is particularly common for modules which write a payload to the Windows The existing module also left a "backdoor". The existing module description states that the payload will remain on the system and will be re-executed:
The updated module description in this PR states similarly:
|
The module is extremely reliable. The module ranking is |
Release NotesUpdated the KarjaSoft Sami FTP Server v2.0.2 USER Overflow module, including documentation, RuboCop updates, support for the AutoCheck mixin to automatically check if a target is vulnerable, an updated list of authors, as well as improvements to its exploit strategy that allow it to use only one offset within a DLL shipped with the target for exploitation (instead of relying on an Windows OS DLL whose offsets could change as the OS was updated). |
Update KarjaSoft Sami FTP Server v2.0.2 USER Overflow module.
AutoCheck
authors
for discovery and previous exploitsnotes
This is effectively a re-write largely based on n30m1nd's exploit which utilises SEH overwrite.
The payload
space
has been increased from300
to800
. The previous size was insufficient to fit most payloads. Bind and reverse shell/meterpreter payloads now fit easily.The
targets
have been replaced with a universal p/p/r intmp01.dll
. This is significantly more reliable than the previous approach which used different offsets forws2help.dll
Windows DLLs.This also allows the module to work on modern targets (including Windows 7 and Windows 10) instead of being restricted to Windows 2000/XP era systems (which is super important for a 15 year old vulnerability in software that no one uses).
Vulnerable Application
This module exploits an unauthenticated stack buffer overflow in
KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long
USER string during login.
The payload is triggered when the administrator opens the application
GUI. If the GUI window is open at the time of exploitation, the
payload will be executed immediately. Keep this in mind when selecting
payloads. The application will crash following execution of the
payload and will not restart automatically.
When the application is restarted, it will re-execute the payload
unless the payload has been manually removed from the SamiFTP.binlog
log file.
This module has been tested successfully on Sami FTP Server versions:
Verification Steps
Download:
Metasploit:
msfconsole
use exploit/windows/ftp/sami_ftpd_user
set rhosts <rhosts>
exploit
Options
Scenarios
KarjaSoft Sami FTP Server version 2.0.2 on Windows 10 (1909) (x64)