Rapid7 Vulnerability & Exploit Database

ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability

Back to Search

ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability

Disclosed
06/08/2012
Created
05/30/2018

Description

This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.

Author(s)

  • ChaoYi Huang <ChaoYi.Huang@connect.polyu.hk>
  • rick2600 <rick2600@corelan.be>
  • mr_me <mr_me@corelan.be>
  • corelanc0d3r <peter.ve@corelan.be>

Platform

Windows

Architectures

x86

Development

References

  • OSVDB-82798
  • EDB-19024

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/ftp/comsnd_ftpd_fmtstr
msf exploit(comsnd_ftpd_fmtstr) > show targets
    ...targets...
msf exploit(comsnd_ftpd_fmtstr) > set TARGET < target-id >
msf exploit(comsnd_ftpd_fmtstr) > show options
    ...show and set options...
msf exploit(comsnd_ftpd_fmtstr) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;