From 163d3e771b8baac05671aa6fa028d67d1182af93 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 17 Jun 2013 15:48:34 -0500 Subject: [PATCH 1/2] Handle connect_login return value properly Some modules ignore connect_login's return value, which may result an EOF if send_cmd() is used later on. All the modules fixed are the ones require auth according to the module description, or CVE/vendor/OSVDB info. --- modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb | 3 ++- modules/exploits/windows/ftp/ability_server_stor.rb | 3 ++- modules/exploits/windows/ftp/cesarftp_mkd.rb | 3 ++- modules/exploits/windows/ftp/filecopa_list_overflow.rb | 3 ++- modules/exploits/windows/ftp/globalscapeftp_input.rb | 3 ++- modules/exploits/windows/ftp/httpdx_tolog_format.rb | 3 ++- modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb | 3 ++- modules/exploits/windows/ftp/servu_chmod.rb | 3 ++- modules/exploits/windows/ftp/servu_mdtm.rb | 4 ++-- modules/exploits/windows/ftp/slimftpd_list_concat.rb | 2 ++ modules/exploits/windows/ftp/turboftp_port.rb | 3 ++- modules/exploits/windows/ftp/wftpd_size.rb | 3 ++- modules/exploits/windows/ftp/wsftp_server_503_mkd.rb | 3 ++- modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb | 3 ++- 14 files changed, 28 insertions(+), 14 deletions(-) diff --git a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb index abe5c91903..42376136df 100644 --- a/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb +++ b/modules/auxiliary/scanner/ftp/titanftp_xcrc_traversal.rb @@ -54,7 +54,8 @@ class Metasploit3 < Msf::Auxiliary def run_host(ip) - connect_login + c = connect_login + return if not c path = datastore['TRAVERSAL'] + datastore['PATH'] diff --git a/modules/exploits/windows/ftp/ability_server_stor.rb b/modules/exploits/windows/ftp/ability_server_stor.rb index cfeb71b509..e7c29da301 100644 --- a/modules/exploits/windows/ftp/ability_server_stor.rb +++ b/modules/exploits/windows/ftp/ability_server_stor.rb @@ -91,7 +91,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c myhost = datastore['LHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['LHOST'] diff --git a/modules/exploits/windows/ftp/cesarftp_mkd.rb b/modules/exploits/windows/ftp/cesarftp_mkd.rb index 01808aba44..623ba5815a 100644 --- a/modules/exploits/windows/ftp/cesarftp_mkd.rb +++ b/modules/exploits/windows/ftp/cesarftp_mkd.rb @@ -70,7 +70,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c sploit = "\n" * 671 + rand_text_english(3, payload_badchars) sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded diff --git a/modules/exploits/windows/ftp/filecopa_list_overflow.rb b/modules/exploits/windows/ftp/filecopa_list_overflow.rb index c5cb6daa18..ee27584f01 100644 --- a/modules/exploits/windows/ftp/filecopa_list_overflow.rb +++ b/modules/exploits/windows/ftp/filecopa_list_overflow.rb @@ -47,7 +47,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/globalscapeftp_input.rb b/modules/exploits/windows/ftp/globalscapeftp_input.rb index 473e949ac2..c6406f8860 100644 --- a/modules/exploits/windows/ftp/globalscapeftp_input.rb +++ b/modules/exploits/windows/ftp/globalscapeftp_input.rb @@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c buf = make_nops(3047) buf[2043, 4] = [ target.ret ].pack('V') diff --git a/modules/exploits/windows/ftp/httpdx_tolog_format.rb b/modules/exploits/windows/ftp/httpdx_tolog_format.rb index 16907d90f9..329679c6c4 100644 --- a/modules/exploits/windows/ftp/httpdx_tolog_format.rb +++ b/modules/exploits/windows/ftp/httpdx_tolog_format.rb @@ -173,7 +173,8 @@ For now, that will have to be done manually. end # proceed with chosen target... - connect_login + c = connect_login + return if not c # '\n PWD ' ip_length = Rex::Socket.source_address(datastore['RHOST']).length diff --git a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb index 863a0a5839..8117dad44c 100644 --- a/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb +++ b/modules/exploits/windows/ftp/oracle9i_xdb_ftp_unlock.rb @@ -76,7 +76,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/servu_chmod.rb b/modules/exploits/windows/ftp/servu_chmod.rb index 8e62006150..8802bf2bcb 100644 --- a/modules/exploits/windows/ftp/servu_chmod.rb +++ b/modules/exploits/windows/ftp/servu_chmod.rb @@ -67,7 +67,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit - connect_login + c = connect_login + return if not c eggoptions = { diff --git a/modules/exploits/windows/ftp/servu_mdtm.rb b/modules/exploits/windows/ftp/servu_mdtm.rb index 3f2ae6ecf3..629f5849c0 100644 --- a/modules/exploits/windows/ftp/servu_mdtm.rb +++ b/modules/exploits/windows/ftp/servu_mdtm.rb @@ -129,8 +129,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - - connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/slimftpd_list_concat.rb b/modules/exploits/windows/ftp/slimftpd_list_concat.rb index 6d72f99cea..68856d6bf0 100644 --- a/modules/exploits/windows/ftp/slimftpd_list_concat.rb +++ b/modules/exploits/windows/ftp/slimftpd_list_concat.rb @@ -53,6 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/turboftp_port.rb b/modules/exploits/windows/ftp/turboftp_port.rb index a85def636c..e08f399884 100644 --- a/modules/exploits/windows/ftp/turboftp_port.rb +++ b/modules/exploits/windows/ftp/turboftp_port.rb @@ -145,7 +145,8 @@ class Metasploit3 < Msf::Exploit::Remote end print_status("Selected Target: #{my_target.name}") - connect_login + c = connect_login + return if not c rop_chain = create_rop_chain(target['ver']) rop = rop_chain.unpack('C*').join(',') diff --git a/modules/exploits/windows/ftp/wftpd_size.rb b/modules/exploits/windows/ftp/wftpd_size.rb index 5095327188..a057ac5f88 100644 --- a/modules/exploits/windows/ftp/wftpd_size.rb +++ b/modules/exploits/windows/ftp/wftpd_size.rb @@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c sploit = "/" + make_nops(525 - payload.encoded.length) sploit << payload.encoded + [target.ret].pack('V') diff --git a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb index d91e271193..c0cc234b5d 100644 --- a/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb +++ b/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb @@ -62,7 +62,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") diff --git a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb index 5bf5e94df4..4df5a98fa1 100644 --- a/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb +++ b/modules/exploits/windows/ftp/wsftp_server_505_xmd5.rb @@ -56,7 +56,8 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login + c = connect_login + return if not c print_status("Trying target #{target.name}...") From 820f589df091965abb0867868eb3754e9c964798 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 17 Jun 2013 15:52:53 -0500 Subject: [PATCH 2/2] Missed this one. --- modules/exploits/windows/ftp/slimftpd_list_concat.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/windows/ftp/slimftpd_list_concat.rb b/modules/exploits/windows/ftp/slimftpd_list_concat.rb index 68856d6bf0..71c01c8eff 100644 --- a/modules/exploits/windows/ftp/slimftpd_list_concat.rb +++ b/modules/exploits/windows/ftp/slimftpd_list_concat.rb @@ -52,7 +52,6 @@ class Metasploit3 < Msf::Exploit::Remote end def exploit - connect_login c = connect_login return if not c