ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability
Description
This module exploits the ComSndFTP FTP Server version 1.3.7 beta by sending a specially crafted format string specifier as a username. The crafted username is sent to the server to overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code. The SEH exit function is preferred so that the administrators are not left with an unhandled exception message. When using the meterpreter payload, the process will never die, allowing for continuous exploitation.
Author(s)
- ChaoYi Huang <ChaoYi.Huang@connect.polyu.hk>
- rick2600 <rick2600@corelan.be>
- mr_me <mr_me@corelan.be>
- corelanc0d3r <peter.ve@corelan.be>
Platform
Windows
Architectures
x86
Development
References
- OSVDB-82798
- EDB-19024
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/ftp/comsnd_ftpd_fmtstr
msf exploit(comsnd_ftpd_fmtstr) > show targets
...targets...
msf exploit(comsnd_ftpd_fmtstr) > set TARGET < target-id >
msf exploit(comsnd_ftpd_fmtstr) > show options
...show and set options...
msf exploit(comsnd_ftpd_fmtstr) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security