Over the past few weeks, Corelan Team<\/a> has given its undivided attention to fuzzing ftp client applications.<\/p>\n Using a custom built ftp client fuzzer, now part of the Metasploit<\/a> framework (svn r10658 and up), the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize \/ backup data from a computer to a remote ftp server.<\/p>\n The 3 main audit\/attack vectors that were used during the "project" were<\/p>\n As mentioned earlier, in order to facilitate the initiative and fuzzing process, a custom ftp client fuzzer was implemented as a Metasploit module. Since this fuzzer was added to the Metasploit trunk, you can get a copy of the module by installing\/updating the svn (trunk) version of metasploit :<\/p>\n When the process completes, you\u2019ll have a copy of a svn version of Metasploit in \/pentest\/exploits\/trunk.<\/p>\n I used the \/pentest\/exploits folder because that folder is where metasploit3 (and some other stuff) is located in BackTrack 4<\/a>.<\/p>\n If all went well, you should find a file called \u201cclient_ftp.rb\u201d under \/pentest\/exploits\/trunk\/modules\/auxiliary\/fuzzers\/ftp.<\/p>\n Note : you can keep your (svn) copy of Metasploit up to date using one of the following techniques :<\/p>\n From the command line :<\/p>\n \n <\/p>\n The fuzzer acts as an ftp server and is designed to send specific responses back to the connected ftp client. The module can handle PASV connections.<\/p>\n This is how you can launch the fuzzer from inside a Metasploit console, and list the available options :<\/p>\n (I used the -n option to load msfconsole without database support, which makes the console load a little faster)<\/span><\/em><\/p>\n Let\u2019s take a look at the available options :<\/p>\n Starting the fuzzer, once all required settings have been defined, is very simple :<\/p>\n The server will now run in the background, and will continue to run until you cancel it.<\/p>\n As soon as a client connects, some logging will be written to the Metasploit console, so you can trace back what happens and find out how long the fuzzdata payload was at the time the ftp client crashed :<\/p>\n If you want to change some of the settings, simply press CTRL+C, change the options, and issue "run" again.<\/p>\n Using the Metasploit module, Corelan Team has discovered more than a dozen ftp client applications that were vulnerable. A lot of older applications appeared to be vulnerable to classic stack based buffer overflows \/ memory corruption, but also a number of more recent applications were found vulnerable too. In any case, we tested the most up-to-date versions of the ftp clients, available at the time of the tests (august\/september 2010).<\/p>\n All tests were performed with clients running on XP SP3 English, with IE7, fully patched.<\/p>\n In most cases, the discovered buffer overflows got triggered by the file \/ folder names that were returned to the client. Sending back a long filename either crashed the ftp client right away, or made the ftp client crash when attempting to open or download the file. In other cases, buffer overflows were triggered in the response to CWD or PWD commands.<\/p>\n Based on the results of the project, it looks like a lot of developers assumed that files and\/or folders cannot be longer than 255 characters\u2026 While this is probably true for a real file system, it is not necessarily true when you have to parse and process a string that was sent back from an FTP server to the client.<\/p>\n Please, dear developers, don\u2019t just assume. Treat all input as evil and sanitize\/check buffer lengths before processing input.<\/p>\n<\/blockquote>\n An overview of the vulnerable applications that can be exploited (more or less reliably, unless stated otherwise) :<\/p>\n\n
The fuzzer<\/h3>\n
cd \/pentest\/exploits\nsvn co https:\/\/metasploit.com\/svn\/framework3\/trunk\/<\/pre>\n
\n
cd \/pentest\/exploits\nsvn co https:\/\/metasploit.com\/svn\/framework3\/trunk\/<\/pre>\n
From within msfconsole : <\/p>\nmsfupdate<\/pre>\n<\/blockquote>\n
root@bt:\/pentest\/exploits\/trunk# .\/msfconsole -n<\/span><\/strong>\n[-] ***\n[-] * WARNING: No database support: String User Disabled Database Support\n[-] ***\n\n _\n | | o\n _ _ _ _ _|_ __, , _ | | __ _|_\n\/ |\/ |\/ | |\/ | \/ | \/ \\_|\/ \\_|\/ \/ \\_| |\n | | |_\/|__\/|_\/\\_\/|_\/ \\\/ |__\/ |__\/\\__\/ |_\/|_\/\n \/|\n \\|\n\n =[ metasploit v3.4.2-dev [core:3.4 api:1.0]\n+ -- --=[ 603 exploits - 302 auxiliary\n+ -- --=[ 225 payloads - 27 encoders - 8 nops\n =[ svn r10370 updated today (2010.09.18)\n\nmsf > use auxiliary\/fuzzers\/ftp\/client_ftp<\/span><\/strong>\nmsf auxiliary(client_ftp) > show options<\/span><\/strong>\n\nModule options:\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n CYCLIC true yes Use Cyclic pattern instead of A's (fuzzing payload).\n ENDSIZE 200000 yes Max Fuzzing string size.\n ERROR false yes Reply with error codes only\n EXTRALINE true yes Add extra CRLF's in response to LIST\n FUZZCMDS LIST,NLST,LS,RETR yes Comma separated list of commands to fuzz.\n RESET true yes Reset fuzzing values after client disconnects with QUIT cmd.\n SRVHOST 0.0.0.0 yes The local host to listen on.\n SRVPORT 21 yes The local port to listen on.\n SSL false no Negotiate SSL for incoming connections\n SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)\n STARTSIZE 1000 yes Fuzzing string startsize.\n STEPSIZE 1000 yes Increment fuzzing string each attempt.\n WELCOME Evil FTP Server Ready yes FTP Server welcome message.\n\nmsf auxiliary(client_ftp) ><\/pre>\n\n
msf auxiliary(client_ftp) > run<\/span><\/strong>\n\n[*] Server started.<\/pre>\n[*] Client connected : 192.168.0.188\n[*] - Set up active data port 20\n[*] Sending response for 'WELCOME' command, arg\n[*] Sending response for 'USER' command, arg test\n[*] Sending response for 'PASS' command, arg test\n[*] - Set up active data port 16011\n[*] Sending response for 'PORT' command, arg 192,168,0,188,62,139\n[*] Handling NLST command\n[*] - Establishing active data connection\n[*] - Data connection set up\n[*] * Fuzzing response for LIST, payload length 1000\n[*] (i) Setting next payload size to 2000\n[*] - Sending directory list via data connection<\/pre>\n
The results<\/h3>\n
\n