search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.05k stars 13.95k forks source link

Method "check" in proftp_telnet_iac.rb (linux/ftp/proftp_telnet_iac) failed detect vulnerable for ProFTPD 1.3.3 #14848

Closed capme closed 3 years ago

capme commented 3 years ago

Steps to reproduce

How'd you do it?

  1. Create test target on local laptop ProFTPD 1.3.3 
    $ sudo docker run -p 2021:2021 proftpd_vuln:latest
- using TCP receive buffer size of 131072 bytes
- using TCP send buffer size of 16384 bytes
- <IfModule>: using 'mod_ident.c' section at line 32
- <Directory />: adding section for resolved path '/'
172.17.0.2 - 
172.17.0.2 - Config for ProFTPD TEST Installation:
172.17.0.2 - /
172.17.0.2 -  AllowOverwrite
172.17.0.2 -  TransferLog
172.17.0.2 -  RequireValidShell
172.17.0.2 -  UseFtpUsers
172.17.0.2 -  WtmpLog
172.17.0.2 -  Umask
172.17.0.2 - DefaultServer
172.17.0.2 - UserID
172.17.0.2 - UserName
172.17.0.2 - GroupID
172.17.0.2 - GroupName
172.17.0.2 - AuthUserFile
172.17.0.2 - AuthGroupFile
172.17.0.2 - PidFile
172.17.0.2 - TransferLog
172.17.0.2 - RequireValidShell
172.17.0.2 - UseFtpUsers
172.17.0.2 - WtmpLog
172.17.0.2 - IdentLookups
172.17.0.2 - Umask
172.17.0.2 - ProFTPD 1.3.3 (stable) (built Tue Mar 2 2021 06:47:05 UTC) standalone mode STARTUP
  2. Open msfconfole (metasploit v6.0.33-dev-)
  3. Use module exploit/linux/ftp/proftp_telnet_iac
  4. set RHOSTS localhost
  5. set RPORT 2021
  6. run check
  7. It says, [*] 127.0.0.1:2021 - The target is not exploitable.

MSF console:

msf6 > use exploit/linux/ftp/proftp_telnet_iac
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/ftp/proftp_telnet_iac) > set RHOSTS localhost
RHOSTS => localhost
msf6 exploit(linux/ftp/proftp_telnet_iac) > set RPORT 2021
RPORT => 2021
msf6 exploit(linux/ftp/proftp_telnet_iac) > check
[*] 127.0.0.1:2021 - The target is not exploitable.
msf6 exploit(linux/ftp/proftp_telnet_iac) >

Expected behavior

I'm using NSE script https://github.com/nmap/nmap/blob/master/scripts/ftp-vuln-cve2010-4221.nse to check whether it's vulnerable or not. According to this NSE script, ProFTPD 1.3.3 should be vulnerable.

Nmap NSE script result:

Initiating NSE at 09:50
Completed NSE at 09:50, 0.00s elapsed
Nmap scan report for localhost (127.0.0.1)
Host is up, received localhost-response (0.000057s latency).
Scanned at 2021-03-03 09:50:05 WIB for 1s

PORT     STATE SERVICE REASON         VERSION
2021/tcp open  ftp     syn-ack ttl 64 ProFTPD 1.3.3
| ftp-vuln-cve2010-4221: 
|   VULNERABLE:
|   ProFTPD server TELNET IAC stack overflow
|     State: VULNERABLE
|     IDs:  CVE:CVE-2010-4221  OSVDB:68985  BID:44562
|     Risk factor: High  CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
|       ProFTPD server (version 1.3.2rc3 through 1.3.3b) is vulnerable to
|       stack-based buffer overflow. By sending a large number of TELNET_IAC
|       escape sequence, a remote attacker will be able to corrupt the stack and
|       execute arbitrary code.
|     Disclosure date: 2011-11-2
|     References:
|       http://www.metasploit.com/modules/exploit/freebsd/ftp/proftp_telnet_iac
|       http://osvdb.org/68985
|       http://www.securityfocus.com/bid/44562
|       http://bugs.proftpd.org/show_bug.cgi?id=3521
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4221
Service Info: OS: Unix
Final times for host: srtt: 57 rttvar: 5000  to: 100000

Logs on the target:

172.17.0.3 - ProFTPD 1.3.3 (stable) (built Mon Mar 1 2021 05:43:48 UTC) standalone mode STARTUP
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - session requested from client in unknown class
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - connected - local  : ::ffff:172.17.0.3:2021
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - connected - remote : ::ffff:172.17.0.1:36300
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - FTP session opened.
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - FTP session closed.
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - session requested from client in unknown class
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - connected - local  : ::ffff:172.17.0.3:2021
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - connected - remote : ::ffff:172.17.0.1:36304
172.17.0.3 (::ffff:172.17.0.1[::ffff:172.17.0.1]) - FTP session opened.
*** stack smashing detected ***: <unknown> terminated

Current behavior

The target is not exploitable using the check command. [*] 127.0.0.1:2021 - The target is not exploitable.

Metasploit version

$ msfconsole --version Framework Version: 6.0.33-dev-

Additional Information

I'm already creating the fix for the check method based on the NSE script. proftp_telnet_iac.zip

capme commented 3 years ago

this issue related with this PR https://github.com/rapid7/metasploit-framework/pull/14856