Metasploit Plugin for EasyFTP Server Exploit
Update: The module has been added to the Metasploit tree. Thanks to jduck for cleaning it up and generalizing it! View here; now just use svn update to get the module.
In my previous post, I detailed my efforts and solution to injecting a Meterpreter payload into a buffer of size 260B. I mentioned that if I had the time, I would try to port the exploit to Metasploit itself, considering I had targeted my technique for the Metasploit-specific payload anyways.
I found some time and have made my plugin available below. There’s several things that can be improved in this exploit:
- rewrite the fixRet to occupy less space and to use metasm to compile it on the fly
- use JMP ESP/EBP type addresses to help with porting to other versions of Windows
EasyFTP Server is an obscure FTP server, which makes it great for playing around with memory corruption vulnerabilities, but probably isn’t something anyone is going to see in a pentest any time soon. I decided against spending the time required to generalize the exploit to versions of Windows beyond XP SP3 English and EasyFTP versions beyond 22.214.171.124. I ported the exploit as an exercise and also in the hopes that someone may find my experience helpful should they try something similar.
I tested the exploit module against Metasploit 3.4.0-dev, r9112. If its failing on an older version, try upgrading first.
Get easyftp_cwd_fixret.rb (put it in [your_metasploit_dir]/modules/exploits/windows/ftp)
$ ./msfconsole use windows/ftp/easyftp_cwd_fixret set RHOST [target's IP address] set PAYLOAD [your_payload] [set options applicable to your payload] exploit
Leave a Reply Cancel reply
I'm an MSISTM student at Carnegie Mellon's Information Networking Institute (INI). I enjoy breaking things more than building them; I use this blog to publish my successes at putting things back together.
- gera's InsecureProgramming page March 12, 2011
- Exploitation - it-sec-catalog - References to vulnerability exploitation stuff. - Project Hosting on Google Code February 4, 2011
- Microsoft releases Attack Surface Analyzer tool January 19, 2011
- Carnegie Mellon Professor Backs PlayStation 3 Hackers January 14, 2011
- folklore fun - thinkst.com January 10, 2011
- (title unknown) January 10, 2011
- Documentation - 27C3 public wiki January 8, 2011
- When A DoS Isn't A DoS | BreakingPoint January 2, 2011
- Light Blue Touchpaper » Blog Archive » A Merry Christmas to all Bankers January 2, 2011
- The Official Lookout Blog | Security Alert: Geinimi, Sophisticated New Android Trojan Found in Wild January 2, 2011
- Smashing the Stack in 2011
- Chaocipher: Now with ASCII Support
- Woohoo! I Graduated. Here’s my thesis.
- Senior Thesis (TRECC) Presentations
- Metasploit Plugin for EasyFTP Server Exploit
- Increasing Payload Size w/ Return Address Overwrite
- efipw v0.2b Released
- efipw v0.2 Released
- From pass_file to Script Kiddies
- Hacking sshd for a pass_file
- A Closer Look at the Twitter-Controlled Botnet (Part 1)
- HTTP POST -> HTTPS = Bad Idea®
- GDB Crackme
- Fun with Apple EFI Firmware Passwords