Microsoft IIS FTP Server Encoded Response Overflow Trigger | Metasploit Exploit Database (DB)

Microsoft IIS FTP Server Encoded Response Overflow Trigger

This module triggers a heap overflow when processing a specially crafted FTP request containing Telnet IAC (0xff) bytes. When constructing the response, the Microsoft IIS FTP Service overflows the heap buffer with 0xff bytes. This issue can be triggered pre-auth and may in fact be explotiable for remote code execution.

Search Other Modules


Rank

  • Normal

Authors

  • Matthew Bergin < >
  • jduck < jduck [at] metasploit.com >

Vulnerability References


Development


Similar Modules


Usage Information

$ msfconsole

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/dos/windows/ftp/iis75_ftpd_iac_bof
msf auxiliary(iis75_ftpd_iac_bof) > set RHOST [TARGET IP]
msf auxiliary(iis75_ftpd_iac_bof) > run


Module Options

RHOST The target address
RPORT The target port (default: 21)
CHOST The local client address
CPORT The local client port
ConnectTimeout Maximum number of seconds to establish a TCP connection
Proxies Use a proxy chain
SSL Negotiate SSL for outgoing connections
SSLVersion Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE Enable detailed status messages
WORKSPACE Specify the workspace for this module
TCP::max_send_size Maxiumum tcp segment size. (0 = disable)
TCP::send_delay Delays inserted before every send. (0 = disable)